Cross Chain Poly Network has been hacked. The decentralized financial project lost as much as $611 million. This is the largest successful attack in the entire history of DeFi to date.
(Un)expected attack on Poly Network
On 10th of August on Poly Network profile on Twitter, information about a hacking attack on the network appeared. Cryptocurrencies worth a total of $611 million were stolen from it. Hackers thus gained access to resources stored on the Ethereum, Binance Smart Chain and Polygon chains. According to estimates, tens of thousands of people were affected. Some of the resources were instantly frozen by Tether. We are talking about the equivalent of nearly $ 33 million. Unfortunately, the same procedure failed in the case of funds stored in stablecoins BNB and USDC.
Poly Network is a bridge between blockchains. It allows asset transfers without using the ecosystem of exchanges. According to the administrators of the service, a hacker (or hackers) exploited a vulnerability in the smart contract connections. However, there are those who blame the developers of Poly Netwok. Mudit Gupta, who is an Ethereum programmer and a security researcher at the same time, believes that the loss of funds is a result of the negligence of the network developers and their irresponsible design decisions.
Interestingly enough, not long after the attack, there was an unofficial report that the hacker had previously contacted Poly Network pointing out vulnerabilities in their code. This was allegedly ignored.
Hacker partially returns funds
Still on the day of the attack, Poly Network issued a letter published on Twitter asking that the hacker return the stolen tokens. To everyone’s surprise, such action came from the attacker the very next day. However, it is unclear whether this was the result of a request from Poly Network representatives or perhaps the results of Slowmist’s rapid investigation. The blockchain security firm managed to establish the digital identity of the perpetrator, in the form of his IP address and email. The hacker most likely used the small Chinese cryptocurrency exchange Hoo. It was there that he allegedly gathered the funds with which he carried out the final attack.
The attacker decided to create a token named “The hacker is ready to surrender”, which he later sent to one of Poly Network addresses. In later steps, he made 3 transactions with values of $10, $10,000 and $1,000,000 USDC respectively. He also returned the stolen BTC and other cryptocurrencies.
New hypotheses are emerging regarding the perpetrator’s motives
The sum of the returned tokens to Poly Network totaled $256 million. Thus, the case remains a developing one and further transfers may still occur. However, many questions remain. First of all, who is the hacker and whether the intrusion is actually a result of Poly Network developers’ negligence. One thing is certain, this kind of intrusions into DeFi have the right to draw attention to security aspects in the long run and make sure that similar intrusions will not happen again.
The spice of the whole story is added by the fact that along with the start of the process of sending back the seized funds, an interview with the hacker appeared online. His words indicate that he did not intend to steal the funds at all, but to protect them from Poly Network developers’ irresponsibility. The vulnerability he found could, in his opinion, be seen by anyone. His action was therefore of a security nature. Moreover, as he mentioned, he did not plan to completely empty the resources he gained access to, as his intention was not to cause a decrease in the value of the coins. If the aforementioned arguments are true, they may cast a shadow on Poly Network.