Although it seemed crypto hacks were on the decline, just recently, the market bore witness to one of the largest-ever attacks in the young history of decentralized finance (DeFi), wherein an unknown hacker was able to exploit a loophole in cross-chain protocol Poly Network’s digital framework, thereby walking away with a cool $610 million from three separate blockchains.
The Poly Network is a collaborative project helmed by Ontology, Neo and Switcheo. It seeks to foster a “heterogeneous interoperability protocol alliance” integrating blockchains into the larger cross-chain ecosystem. Thanks to its infrastructure, the protocol allows users to swap tokens across different blockchains seamlessly.
Further elaborating on the development, Poly Network’s core developer team has revealed that the attack resulted in roughly $273 million from Ethereum, $85 million in USD Coin (USDC) from the Polygon network, and $253 million from the Binance Smart Chain being compromised. Furthermore, sizable amounts of renBTC, wrapped Bitcoin (wBTC) and wrapped Ether (wETH) were also lost as part of the exploit.
In regards to how the hack happened, Anton Bukov, co-founder of DeFi aggregator 1inch Network, told Cointelegraph that one of Poly Network’s sub-systems — designed to be capable of forwarding users’ smart contract interactions among different blockchains — turned out to be faulty, adding:
“The hacker bridged fake transaction interactions on one chain to make the system contract on another, transferring ownership rights for the assets’ vault to the hacker’s public key. Poly Network’s developers and auditors didn’t notice the vulnerability, allowing for multiple arbitrary user calls via a smart contract that has many privileges.”
Putting on a white hat
Providing his thoughts on the matter, John Jefferies, chief financial analyst of CipherTrace, told Cointelegraph that this incident has been especially interesting compared to any DeFi hacks of the past, which typically used a form of flash loans and arbitrage to exploit a smart contract and steal funds, adding:
“The hacker essentially found an exploit that allowed him to bypass the private keys and have the contract just send the funds to himself. In all the swapping the hacker has done in an effort to obfuscate their trail, it appears the hacker had at one point reused a wallet that already had previous transactions with some prominent exchanges that would have identifying KYC information on him.”
Also, Jefferies is not entirely convinced of what the hacker’s intentions were, even though all of the stolen funds are now back where they belong. “It is unlikely that a white hat would have taken the steps to attempt to obfuscate the funds trail if they had always intended on returning the money,” he opined.
In a strange yet interesting turn of events, soon after the breach, the Poly Network hacker conducted an Ask Me Anything-style of self-interview, using embedded messages in Ethereum transactions. When asked about why the Poly Network, in particular, was chosen as a target, the hacker answered “cross chain hacking is hot,” adding that they spent a good amount of time trying to identify vulnerabilities on the network to exploit.
Not only that, the hacker claimed that the plan was never to keep the $610 million, but rather expose the vulnerability to the masses before Poly Network’s developers could secretly fix the bug. “I would like to give them [Poly Network] tips on how to secure their networks, so that they can be eligible to manage a billion [dollar] project in the future.” He went on to further add:
“When spotting the bug, I had mixed feelings. Ask yourself what would you do if you were faced with such a fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion. I can trust nobody! The only solution I can come up with is saving it in a trusted account.”
The funds are back
Poly Network released a statement on Thursday announcing that all $610 million of the funds had been transferred to a multisig wallet that is under its purview along with the hacker. The only remaining tokens include $33 million worth of Tether (USDT), which were frozen immediately following news of the attack.
The Poly Network hacker started off by returning a significant portion of the stolen funds to the cross-chain DeFi protocol. Indeed, a little over a day after the event, CipherTrace confirmed that at least $265+ million had been returned to Poly Network in the form of $1 million in USDC; $256.2 million mostly via Bitcoin BEP-2 (BTCB), Binance pegged-Ether and Binance USD (BUSD); $2.637 million in Binance Coin (BNB); and $3.4 million in Shiba Inu (SHIB), renBTC and Fei.
From the very beginning, the attacker claimed to be willing to return the entirety of the stolen funds — a promise that was delivered this past Thursday — claiming that the intention was to teach Poly an expensive lesson about its security flaws.
However, Tom Robinson, chief scientist at blockchain analytics firm Elliptic, is of the view that the change of heart might have been due to the fact that the hacker found it extremely difficult to launder/cash out the stolen assets due to the transparency of the blockchain.
Sebastian Bürgel, founder of Ethereum-based data privacy protocol HOPR, told Cointelegraph that while thefts are never a good thing, he thinks that it’s impressive that the DeFi community was able to come together — from Tether freezing $33 million worth of USDT to OKEx and Binance lending a helping hand in monitoring the siphoned funds — to prevent the hacker from withdrawing or exchanging any of the involved assets, adding:
“Hopefully, it will encourage a greater focus on security and auditing. DeFi enthusiasm is infectious, but it’s important to remember that there is huge value at stake. The desire to move quickly can’t trump security.”
“No, thank you,” says “Mr. White Hat”
After determining the hacker’s motives to be completely clean, a spokesperson for the Poly Network said that the company was willing to offer the individual — whom the company dubbed “Mr. White Hat,” — a $500,000 bounty via a message that read, “We will send you the 500k bounty when the remaining funds are returned except the frozen USDT.”
Surprisingly, the hacker politely refused, stating that he never responded to the offer. “I will send all of their money back,” he said, signing off.
With all of the funds back in place — bar the aforementioned frozen USDT — it appears as though the largest hack in decentralized finance history has finally come to a close. And though the hacker’s identity continues to remain a mystery, Chinese cybersecurity firm SlowMist recently released an update claiming that its security team had been able to identify the attacker’s email address, IP address and device fingerprint.
Hopefully, this episode serves as a stern reminder of how security should always be of supreme importance when laying the foundation of any project, regardless of its technological proposition. Therefore, it will be interesting to see how startups and other firms operating within DeFi continue to evolve and upgrade their existing security setups because the next time around, the hacker may be unwilling to return the money.