Poly Network Exploit

On August 10th, 2021, Poly Network was attacked by anonymous white hat hacker or hackers, causing over $610 million in digital crypto assets at the price of that date to be transferred to hacker-controlled addresses. Eventually, all assets were returned to Poly Network over the next 15 days. This was the largest security incident in DeFi's history in terms of the value of stolen assets at the price of that date.

Overview

Poly Network is an interoperability protocol for heterogeneous blockchains, which lets users swap tokens from one digital ledger to another. Poly Network works by facilitating exchange between several blockchains as users trade one cryptocurrency for another, such as trading Bitcoin for Ether. Currently, Poly Network implements interoperability between 11 heterogeneous chains including Bitcoin, Ethereum and so on.^[1]

Since the launch of the main net until the attack, Poly Network has transferred $10 billion in digital assets between blockchains, with total locked value of nearly $1 billion across the whole network, of which the white hat hackers transferred approximately $610 million of the most valuable digital assets to three addresses controlled by the hackers on Ethereum, Binance Smart Chain and Polygon.^{[citation needed]}

File:How Poly Network lost 610M dollar and got it back.png

Assets List
Token	Platform	Amount	Transaction Hash
USDC	Ethereum	96,389,444.229984	0x5a8b2152ec7d5538030b53347ac82e263c58fe7455695543055a2356f3ad4998
WBTC	Ethereum	1,032.12483694	0x3f55ff1fa4eb3437afe42f4fea57903e8e663bc3b17cb982f1c8d4c8f03a2083
DAI	Ethereum	673,227.941533113298891801	0xa7c56561bbe9fbd48e2e26306e5bb10d24786504833103d3f023751bbcc8a3d9
UNI	Ethereum	43,023.751365396442021965	0xc917838cc3d1edd871c1800363b4e4a8eaf8da2018e417210407cc53f94cd44e
SHIB	Ethereum	259,737,345,149.519786617235448706	0xe05dcda4f1b779989b0aa2bd3fa262d4e6e13343831cb337c2c5beb2266138f5
renBTC	Ethereum	14.47265047	0xb12681d9e91e69b94960611b227c90af25e5352881907f1deee609b8d5e94d7d
USDT	Ethereum	33,431,197.734821	0x06aca16c483c3e61d5cdf39dc34815c29d6672a77313ec36bf66040c256a7db3
WETH	Ethereum	26,109.060672756730881958	0xc797aa9d4714e00164fcac4975d8f0a231dae6280458d78382bd2ec46ece08e7
FEI	Ethereum	616,082.589988960251715574	0xd8c1f7424593ddba11a0e072b61082bf3d931583cb75f7843fc2a8685d20033a
ETH	Ethereum	26,109.060672756730881958	0x93bacc30f19e46ae40d6a7f38d8a7f8fbc49c979a454dd6d9a4b2577d317636d
ETH	Ethereum	2,857.486346845890372134	0xad7a2c70c958fcd3effbf374d0acf3774a9257577625ae4c838e24b0de17602a
USDC	Binance Smart Chain	87,603,373.774864499503468781	0xd59223a8cd2406cfd0563b16e06482b9a3efecfd896d590a3dba1042697de11a
USDC	Binance Smart Chain	298.940563273249676643	0xea37b320843f75a8a849fdf13cd357cb64761a848d48a516c3cac5bbd6caaad5
ETH	Binance Smart Chain	26,629.159998706545651647	0x4e57f59395aca4847c4d001db4a980b92aab7676bc0e2d57ee39e83502527d6c
BTCB	Binance Smart Chain	1,023.880948564689526459	0x50105b6d07b4d738cd11b4b8ae16943bed09c7ce724dc8b171c74155dd496c25
BUSD	Binance Smart Chain	32,107,854.114341286723103272	0xd65025a2dd953f529815bd3c669ada635c6001b3cc50e042f9477c7db077b4c9
BNB	Binance Smart Chain	6,613.440489806866981869	0x534966864bda354628d4f1c66db45cbefcdda7433e9576e7664fea01bb05be9a
USDC	Polygon	85,089,610.911661	0x1d260d040f67eb2f3e474418bf85cc50b70101ca2473109fa1bf1e54525a3e01
USDC	Polygon	108.694578	0xfbe66beaadf82cc51a8739f387415da1f638d0654a28a1532c6333feb2857790

After the attack, the Poly's team asked exchanges and miners to be aware of the flow of stolen tokens and called for the hacker's transactions to be stopped, Tether froze $33 million worth of USDT. In an open letter on Twitter, the Poly team wanted to establish communication with the hackers and urge the hackers to return the stolen tokens.

The hackers announced on August 11, 2021 that they had been planning to return the tokens and the purpose of the theft was to reveal vulnerabilities and secure Poly Network. They posted a self Q&A to communicate with the public by embedding messages in transactions with their addresses. ^[2]

The hackers then required multi-signature addresses for transfer. Poly Network generated a collection address and started to recover the assets that were returned first on August 11. On August 13, the hackers returned assets worth $340 million and transferred the bulk of the rest to a multi-signature address jointly controlled by them and Poly Network.^[3]

After receiving tokens, Poly Network started to address the hackers as "Mr. White Hat" and offered to reward them with $500,000 bug bounty and the position of "chief security advisor" of Poly Network, as a strategy to ensure safe return of the rest affected assets.^[4]

On August 25, the Poly Network Exploit was finally ended with the hackers releasing the last private key.^{[citation needed]}

Exploit Analysis

An initial investigation disclosed that the hackers exploited a "vulnerability between contract calls" in Poly Network's system and transferred millions of dollars in tokens to multiple separate cryptocurrency wallets. This includes 2,858 ether tokens worth about $267m, $252m of Binance coins and around $85 million in USDC tokens.^[5] ^[6]

According to SlowMist, the hack was executed in the following way:

Poly Network has a privileged contract called ethCrossChainManager, which has the right to trigger messages from another blockchain. There is a feature that allows parties to perform cross-chain transactions. This feature validates the transaction request and adds it to the blockchain.^{[citation needed]}

The key flaw is that this function can be used to call on the ethCrossChainData contract, which maintains a list of public keys that authenticate incoming data from other chains. The EthCrossChainData contract is owned by ethCrossChainManager. Therefore, the malicious party can trick ethCrossChainManager into calling ethCrossChainData and pass the unique owner check. With the correct data, they can trigger the function of changing the public key.^{[citation needed]}

Criticism

In Q&As posted on Ethereum the anonymous hackers claimed they carried out the heist for fun and to encourage Poly Network to improve its security. Poly Network team have accepted the explanation and called the hackers "Mr White Hat". Poly Network team also offered the hacker $500,000 worth of Ether as a bounty for the bug, and invited the hacker to be its chief security advisor.

The alleged move has angered some in the security world who are worried that it might set a precedent for criminal hackers to white-wash their actions. A white hat hacker Katie Paxton-Fear said that "labelling this hack as a white hat is really disappointing".^[7] Charlie Steele, former Department of Justice and FBI official, thought "Private companies have no authority to promise immunity from criminal prosecution," and "in this event where a hacker stole the $600m 'for fun' and then returned most of it, all while remaining anonymous, is not likely to lessen regulators' concerns about the variety of risks posed by cryptocurrencies."^[7]

Aftermath

Poly Network launched the global bug bounty program on Immunefi. The program aims at encouraging more security agencies and white hat organizations to participate in the audit of Poly Network's core functions, especially to address potential security risks. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System — the rewards range up to $100,000 for critical vulnerabilities.^{[citation needed]}

Hacks such as this one are ultimately good for DeFi in the long run, as it will increase scrutiny, governance, and improve the security posture of the networks. In the short term, this high profile Poly Network hack will be jumped on by the ill-informed to denigrate the entire DeFi movement, and while lessons need to be learned for sure, people need to be aware of the progress made so far by the DeFi community is what is in intents and purposes less than a decade old.^[8]

Reference

↑ "Poly Network Whitepaper". https://poly.network/PolyNetwork-whitepaper.pdf.
↑ Russon, Mary-Ann (2021-08-11). "Cryptocurrency heist hacker returns $260m in funds". BBC. https://www.bbc.com/news/business-58180692.
↑ John, Alun (2021-08-14). "Crypto platform Poly Network rewards hacker with $500,000 'bug bounty'". Reuters. https://www.reuters.com/technology/crypto-platform-poly-network-rewards-hacker-with-500000-bug-bounty-2021-08-13/.
↑ "White hat' hacker behind $610m crypto heist returns most of money". The Guardian. https://www.theguardian.com/technology/2021/aug/13/white-hat-hacker-behind-610m-crypto-heist-returns-most-of-money.
↑ "Hackers steal $600m in major cryptocurrency heist". BBC. https://www.bbc.com/news/business-58163917.
↑ Browne, Ryan (2021-08-17). "Crypto platform hit by $600 million heist asks hacker to become its chief security advisor". CNBC. https://www.cnbc.com/2021/08/17/poly-network-cryptocurrency-hack-latest.html.
↑ ^7.0 ^7.1 Tidy, Joe (2021-08-13). "Crypto hacker offered reward after $600m heist". BBC. https://www.bbc.com/news/business-58193396.
↑ Dickens, Steven (2021-08-12). "What Does the Poly Network Hack Mean for DeFi". Futurum Research. https://futurumresearch.com/research-notes/what-does-the-poly-network-hack-mean-for-defi/.

External Links

Poly Network official website
White hat hacker's address on Ethereum
White hat hacker's address on Binance Smart Chain
White hat hacker's address on Polygon
Record of hacker's Q&A

0.00

(0 votes)

[1] "Poly Network Whitepaper". https://poly.network/PolyNetwork-whitepaper.pdf.

[2] Russon, Mary-Ann (2021-08-11). "Cryptocurrency heist hacker returns $260m in funds". BBC. https://www.bbc.com/news/business-58180692.

[3] John, Alun (2021-08-14). "Crypto platform Poly Network rewards hacker with $500,000 'bug bounty'". Reuters. https://www.reuters.com/technology/crypto-platform-poly-network-rewards-hacker-with-500000-bug-bounty-2021-08-13/.

[4] "White hat' hacker behind $610m crypto heist returns most of money". The Guardian. https://www.theguardian.com/technology/2021/aug/13/white-hat-hacker-behind-610m-crypto-heist-returns-most-of-money.

[5] "Hackers steal $600m in major cryptocurrency heist". BBC. https://www.bbc.com/news/business-58163917.

[6] Browne, Ryan (2021-08-17). "Crypto platform hit by $600 million heist asks hacker to become its chief security advisor". CNBC. https://www.cnbc.com/2021/08/17/poly-network-cryptocurrency-hack-latest.html.

[BBC-7] 7.0 ^7.1 Tidy, Joe (2021-08-13). "Crypto hacker offered reward after $600m heist". BBC. https://www.bbc.com/news/business-58193396.

[8] Dickens, Steven (2021-08-12). "What Does the Poly Network Hack Mean for DeFi". Futurum Research. https://futurumresearch.com/research-notes/what-does-the-poly-network-hack-mean-for-defi/.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]