Decentralized finance platform Poly Network, which allows users to transfer cryptocurrencies between different blockchains, was the target of a massive hack on Tuesday, the company announced on Twitter. 

The hackers reportedly stole around US$600 million in cryptocurrencies — around US$267 million worth of Ether, US$252 million of Binance Smart Chain tokens and around US$85 million of USD Coin, according to a report by the BBC. The hack is bigger than the 2014 attack on crypto exchange Mt. Gox, making it one of the largest cryptocurrency heists.

The Poly Network operates on the Binance Smart Chain, and on the Ethereum and Polygon blockchains, each of which was attacked yesterday.

Soon after making the announcement, Poly Network attempted to establish contact with the attackers through a post on Twitter, saying: “The amount of money you have hacked is one of the biggest in defi history.”

Poly Network urged the attackers to talk to it and “work out a solution,” and threatened legal consequences. It added: “The money you stole are [sic] from tens of thousands of crypto community members, hence the people.”

Attackers and trackers

Poly Network published the three addresses the stolen tokens were transferred to, and called on affected blockchain and crypto exchanges to blacklist tokens from those wallets. At the time, the perpetrators’ wallets held multiple cryptocurrency tokens including USD Coin, Wrapped Bitcoin, Wrapped Ether and Shiba Inu. 

Crypto exchanges Huobi, Binance and OKEx offered their help, support and cooperation on Twitter, but Binance CEO Changpeng Zhao said: “There are no guarantees. We will do as much as we can.”

Tether Holdings Ltd., the issuer of Tether, the world’s largest stablecoin, has since frozen approximately US$33 million of the token on Ethereum that were stolen in the hack. 

SlowMist, a blockchain ecosystem security company, published a report with an analysis of the attack. Based on the report, Poly Network tweeted that the hackers had “exploited a vulnerability between contract calls.” 

Blockchain security company BlockSec issued a preliminary report on the hack that noted a possible leak of a private key or a bug in the Poly Network signing process as potential causes of the hack. 

According to the SlowMist report, however, the hack was executed in the following way. 

Poly Network has a privileged contract named EthCrossChainManager, which has the right to trigger messages from another blockchain. There’s a function that allows all parties to execute cross-chain transactions. The function verifies transaction requests and adds them to the blockchain. 

The critical flaw lies in the fact that the function can be used to call on the EthCrossChainData contract, which keeps a list of public keys that authenticate incoming data from other chains. The EthCrossChainData contract is owned by the EthCrossChainManager. Nefarious parties can therefore trick the EthCrossChainManager into calling on EthCrossChainData and passing the only-owner check. Using the right data, they can then trigger a function that alters public keys. 

Lesson learned?

Explaining the hack, a Twitter user said the biggest lesson of the event was that in cross-chain relay contracts, it is necessary to ensure that special contracts cannot be called upon by every user. 

Jason Bennick, CEO of virtual transaction company Blockrails, tweeted that the Poly Network attack was not a DeFi hack, just an example of lax security measures. 

Yifan He, CEO of Red Date Technology and an executive director of Chinese government-blessed Blockchain-Based Service Network, told Forkast.News: “Poly Network basically built a back door there. This is a lesson learned. If you want to [be] totally transparent, do that [in a way that is] as fair as possible.” 

He added that the Poly Network hack did not affect BSN because it did not use the Poly Network public chain. Instead, only a permissioned version of the Poly Network is integrated with BSN, leaving it completely unscathed. 

According to a report by Chainnews, SlowMist has already tracked down the wallets, IP addresses and device fingerprints of the hackers, and is currently hunting for more clues for their identity. 

SlowMist has also discovered that the attackers’ original funds were in Monero, later converted to Binance Coin, Ether and MATIC. SlowMist said that it obtained that information from Chinese crypto exchange Hoo and other exchanges. Some Twitter users have also claimed that the hackers’ funds originated at Hoo. 

SlowMist said that the attack was probably “long-planned, organized and prepared.” Some crypto experts have also said the hackers’ wallets were tied to Binance, FTX and OKEx accounts, indicating that they may have completed know-your-customer procedures on those exchanges — information that could be used to track down the perpetrators. 

The hackers included several messages in the transactions, one of which read: “It would have been a billion hack if I had moved remaining shitcoins! Did I just save the project? Not so interested in money, now considering returning some tokens or just leaving them here.”

Hackers give back

As SlowMist remains on their trail, the attackers seem to have had a change of heart. They are now planning to return the funds, as indicated by messages left on the Ethereum blockchain. 

The hackers have asked for a multi-signature wallet, which Poly Network has prepared. The company is now awaiting the return of the stolen funds. At 7:47 p.m. Hong Kong time on Wednesday, Poly Network tweeted that cryptocurrency worth US$4.7 million had so far been returned.

Although Red Date’s He said he did not personally believe that decentralized systems were secure, in the case of hacks, there was an upside. 

“Everybody can trace [hackers], everybody can work together to find out who did this, and I think that kind of pressure is a good part of the public chain,” He said. 

He said that pressure may be why the perpetrators had agreed potentially to return the stolen funds and why some money could be recovered. 

He also said further such attacks were plausible, saying: “As long as you’re decentralized, as long as you’re open source, people always can find vulnerabilities.”

Data from crypto intelligence company CipherTrace shows that DeFi hacks reached an all time high in the first seven months of 2021, with losses amounting to US$474 million, according to a Reuters report