In what has become Defi’s largest hack to date, on Tuesday, August 10th, the Poly Network reported at least $611 Million ($832 Million AUD) worth of crypto had been stolen across three separate chains – Binance Chain, Ethereum and Polygon.
Launched last year, the Poly Network is an interoperability project launched by cryptocurrency NEO in partnership with Switcheo and Ontology. It allows users to swap assets cross chain between Binance, Ethereum, Ontology and others using atomic swaps.
The Hack
On August 10th the Poly Network was hacked due to a vulnerability in its smart contract that allowed the hacker to pass through transactions to the attacker’s assigned addresses by changing the network’s keeper operation. The attack was first performed on Poly Network’s Binance Smart Chain contracts then repeated on Poly Network’s Ethereum chain contracts.
Approximately $273 Million of Ethereum and ERC-20 Tokens, $273 million of Binance and BEP-20 tokens, and $83 million in USDC tokens on Polygon were reported to have been stolen.
The Poly Network team elaborated that the attack was not due to the keeper’s private key being leaked.
The Aftermath
Shortly after the hack, the Poly Network tweeted confirming the attack, posting the hacker’s wallet addresses and urging all miners and exchanges to blacklist the addresses associated with the stolen funds.
Within hours, SlowMist (a Blockchain security firm) also released a statement saying they had identified the hacker’s email, IP address, and suggested they were able to track the attacker’s digital footprint.
Subsequently, a number of exchange CEOs tweeted expressing that they were investigating the issue and implementing security protocols to limit the damage. However, due to the decentralised nature of the blockchains, they could not promise a return of funds. Tether (the issuers of USDT) shortly after froze $33 million worth of USDT connected to the hacker’s addresses.
The Return of Funds
As scrutiny and eyeballs watched the addresses closely, at 4:00 UTC the hacker sent a message in an ethereum transaction to themself exclaiming they were “ready to return the fund”, leading many to believe the hack may have been executed by a white hat hacker.
In a later message, the hacker asked for a “multi-sig wallet” from the Poly Network to be able to return the funds, as they could not get in contact with the Poly Network team directly. The Poly Network quickly responded and set up a multi-sig wallet.
As of the writing of this article, the hacker has begun returning the funds to the Poly Network multi-sig wallets. The address still holds over $200 million in stolen funds. Not being without a sense of humour, the hacker, just prior to sending back the funds, created a token called “the hacker is ready to surrender”.
This recent hack has led many to question how it will affect policy and regulation in the future with countries such as India already imposing bans on cryptocurrency. Regardless of the effect this attack will have on regulation, the hacker knows their act won’t be forgotten – writing in one message “It’s already a legend to win so much fortune. It will be an eternal legend to save the world.”