The story of the most bizarre crypto hack where the hacker's only motive was to improve the network security and keep the investors safe. Read more!
What Is the Poly Network Hack?
- A separate wallet for several blockchain projects it caters to, such as Ethereum, Bitcoin, and NEO.
- Smart contracts that allow users to swap native tokens of the aforementioned platforms and more.
- The Poly Network platform where the smart contracts operate.
One of the smart contracts of the network was attacked by a hacker. This resulted in a transfer of $612 million worth of ETH, USDT, and NEO to multiple proxy wallets.
When Did It Happen?
Poly Network communicated with the attacker directly, requesting him to return the funds. The platform admitted to having noticed the loophole in their security and even offered to appoint the hacker as their “Chief Security Officer.’’ Some investors and the company itself put a price tag on the return of the funds by the attacker. It was useless, as the attacker messaged:
“You don't know me. Money means little to me, some people are paid to hack, I would rather pay for the fun. I am considering taking the bounty as a bonus for public hackers if they can hack the Poly Network. (They can win double if they feel the current plan is awkward). If the Poly don't give the imaginary bounty, as everybody expects, I have well enough budget to let the show go on. Just some funny thoughts but I may probably make them come true. If you are still confused, ask some richer friends, what is money for? I trust some of their code, I would praise the overall design of the project, but I never trust the whole poly team. My only guilt was triggered from the refugees. All of my actions were determined since I made the final decision to be eternal. I am a little bit surprised that you call them professional negotiators, just look at their tense and repetitive words. If the Poly really got my initial idea, they could be less embarrassed. I published their request so that they got the chance to be a winner. Who do you think is dominating the game?”
On Aug. 11, the hacker initiated the return, stating that he felt sorry for the victims.
Poly Network offered a bug bounty of $500,000 to the hacker together with the promises of no legal repercussions. The hacker, however, said that the money will be distributed amongst the affected traders.
Post-Mortem of the Hack
Investigation into the attack revealed a loophole in the operation between two Poly contracts: EthCrossChainManager and EthCrossChainData. The EthCrossChainData is an owner-limited contract that cannot be accessed by anyone else. By gaining access to it, the hacker was able to move large volumes of funds to multiple wallets at the same time by replacing the Keeper’s key with their own. The hacker triggered the EthCrossChainManager to allow interchain transactions between the Poly Network and the Ethereum network.
EthCrossChainManager governs the EthCrossChainData. The former is also a type of high-privileged contract that can execute cross-chain transactions. By targeting the EthCrossChainData, the attacker was able to replace the Keeper’s key in the EthCrossChainData with their own. It granted the attacker the Keeper status for multiple wallets, including Ethereum, Binance, Neo, and Tether. All tokens were channeled into the attacker’s secret wallet.
Kelvin Fitcher tweeted about the fiasco:
‘’One of the biggest design lessons that people need to take away from this is: if you have cross-chain relay contracts like this, MAKE SURE THAT THEY CAN'T BE USED TO CALL SPECIAL CONTRACTS. The EthCrossDomainManager shouldn't have owned the EthCrossDomainData contract'’.
Impact on the Crypto Community
The aftermath of the hack was that Poly Network acknowledged its security loophole. It also reinforced the idea that blockchain is not synonymous with security. The threat in crypto is more or less the same as in real-world transactions.
DeversiFi CTO Konrad Strachan commented that the hack exposed an Ethereum 'library defect’ that made the blockchain vulnerable. Additional security layers were consequently added in an attempt to enhance security.
Other Noteworthy Crypto Hacks
The history of the cryptocurrency and blockchain industry is full of hacks and scams that offer valuable lessons to users and developers. Some of these include:
- The Coincheck hack
- The KuCoin hack
- The Mt. Gox hack
- The Bitgrail hack
- The Bitfinex hack
- CryptoCore/Lazarus hack
- The Africrypt hack