Poly Network hack exposes DeFi flaws, but community comes to the rescue

Published at: Aug. 16, 2021

Although it seemed crypto hacks were on the decline, just recently, the market bore witness to one of the largest-ever attacks in the young history of decentralized finance (DeFi), wherein an unknown hacker was able to exploit a loophole in cross-chain protocol Poly Network’s digital framework, thereby walking away with a cool $610 million from three separate blockchains.

The Poly Network is a collaborative project helmed by Ontology, Neo and Switcheo. It seeks to foster a “heterogeneous interoperability protocol alliance” integrating blockchains into the larger cross-chain ecosystem. Thanks to its infrastructure, the protocol allows users to swap tokens across different blockchains seamlessly.

Further elaborating on the development, Poly Network’s core developer team has revealed that the attack resulted in roughly $273 million from Ethereum, $85 million in USD Coin (USDC) from the Polygon network, and $253 million from the Binance Smart Chain being compromised. Furthermore, sizable amounts of renBTC, wrapped Bitcoin (wBTC) and wrapped Ether (wETH) were also lost as part of the exploit.

In regards to how the hack happened, Anton Bukov, co-founder of DeFi aggregator 1inch Network, told Cointelegraph that one of Poly Network’s sub-systems — designed to be capable of forwarding users’ smart contract interactions among different blockchains — turned out to be faulty, adding:

“The hacker bridged fake transaction interactions on one chain to make the system contract on another, transferring ownership rights for the assets’ vault to the hacker’s public key. Poly Network’s developers and auditors didn’t notice the vulnerability, allowing for multiple arbitrary user calls via a smart contract that has many privileges.”

Putting on a white hat

Providing his thoughts on the matter, John Jefferies, chief financial analyst of CipherTrace, told Cointelegraph that this incident has been especially interesting compared to any DeFi hacks of the past, which typically used a form of flash loans and arbitrage to exploit a smart contract and steal funds, adding:

“The hacker essentially found an exploit that allowed him to bypass the private keys and have the contract just send the funds to himself. In all the swapping the hacker has done in an effort to obfuscate their trail, it appears the hacker had at one point reused a wallet that already had previous transactions with some prominent exchanges that would have identifying KYC information on him.”

Also, Jefferies is not entirely convinced of what the hacker’s intentions were, even though all of the stolen funds are now back where they belong. “It is unlikely that a white hat would have taken the steps to attempt to obfuscate the funds trail if they had always intended on returning the money,” he opined.

In a strange yet interesting turn of events, soon after the breach, the Poly Network hacker conducted an Ask Me Anything-style of self-interview, using embedded messages in Ethereum transactions. When asked about why the Poly Network, in particular, was chosen as a target, the hacker answered “cross chain hacking is hot,” adding that they spent a good amount of time trying to identify vulnerabilities on the network to exploit.

Not only that, the hacker claimed that the plan was never to keep the $610 million, but rather expose the vulnerability to the masses before Poly Network’s developers could secretly fix the bug. “I would like to give them [Poly Network] tips on how to secure their networks, so that they can be eligible to manage a billion [dollar] project in the future.” He went on to further add:

“When spotting the bug, I had mixed feelings. Ask yourself what would you do if you were faced with such a fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion. I can trust nobody! The only solution I can come up with is saving it in a trusted account.”

The funds are back

Poly Network released a statement on Thursday announcing that all $610 million of the funds had been transferred to a multisig wallet that is under its purview along with the hacker. The only remaining tokens include $33 million worth of Tether (USDT), which were frozen immediately following news of the attack.

The Poly Network hacker started off by returning a significant portion of the stolen funds to the cross-chain DeFi protocol. Indeed, a little over a day after the event, CipherTrace confirmed that at least $265+ million had been returned to Poly Network in the form of $1 million in USDC; $256.2 million mostly via Bitcoin BEP-2 (BTCB), Binance pegged-Ether and Binance USD (BUSD); $2.637 million in Binance Coin (BNB); and $3.4 million in Shiba Inu (SHIB), renBTC and Fei.

From the very beginning, the attacker claimed to be willing to return the entirety of the stolen funds — a promise that was delivered this past Thursday — claiming that the intention was to teach Poly an expensive lesson about its security flaws.

However, Tom Robinson, chief scientist at blockchain analytics firm Elliptic, is of the view that the change of heart might have been due to the fact that the hacker found it extremely difficult to launder/cash out the stolen assets due to the transparency of the blockchain.

Sebastian Bürgel, founder of Ethereum-based data privacy protocol HOPR, told Cointelegraph that while thefts are never a good thing, he thinks that it’s impressive that the DeFi community was able to come together — from Tether freezing $33 million worth of USDT to OKEx and Binance lending a helping hand in monitoring the siphoned funds — to prevent the hacker from withdrawing or exchanging any of the involved assets, adding:

“Hopefully, it will encourage a greater focus on security and auditing. DeFi enthusiasm is infectious, but it’s important to remember that there is huge value at stake. The desire to move quickly can’t trump security.”

“No, thank you,” says “Mr. White Hat”

After determining the hacker’s motives to be completely clean, a spokesperson for the Poly Network said that the company was willing to offer the individual — whom the company dubbed “Mr. White Hat,” — a $500,000 bounty via a message that read, “We will send you the 500k bounty when the remaining funds are returned except the frozen USDT.”

Surprisingly, the hacker politely refused, stating that he never responded to the offer. “I will send all of their money back,” he said, signing off.

Related: How do DeFi protocols get hacked?

With all of the funds back in place — bar the aforementioned frozen USDT — it appears as though the largest hack in decentralized finance history has finally come to a close. And though the hacker’s identity continues to remain a mystery, Chinese cybersecurity firm SlowMist recently released an update claiming that its security team had been able to identify the attacker’s email address, IP address and device fingerprint.

Hopefully, this episode serves as a stern reminder of how security should always be of supreme importance when laying the foundation of any project, regardless of its technological proposition. Therefore, it will be interesting to see how startups and other firms operating within DeFi continue to evolve and upgrade their existing security setups because the next time around, the hacker may be unwilling to return the money.

Tags
Related Posts
Finance Redefined: One hack to bring down a whole market, Feb 10–17
Finance Redefined is Cointelegraph's DeFi-centric newsletter, delivered to subscribers every Wednesday. The Alpha Homora and Cream Finance hack has made a gigantic mark in the DeFi space this week. It is the largest single hack in DeFi history at $37 million in funds stolen. It is also one of the most complex, apparently leveraging several honest-to-God vulnerabilities in Alpha Homora. A few missing input checks in very specialized conditions allowed the hacker to abuse Alpha Homora’s privilege of borrowing an unlimited amount of funds from Cream Finance’s Iron Bank. Flash loans were of course involved, but unlike some previous hacks …
Technology / Feb. 18, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11–18
If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. In the span of one week, a total of four flash loan-enabled exploits were registered (one actually happened the week before, but wasn’t noticed until later). We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol’s loss of $7 million. In total, the hackers stole $18.3 million, which admittedly, is not that much — less than the single October exploit of Harvest Finance. As …
Technology / Nov. 19, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023