The Poly Network hack, arguably the biggest decentralized finance hack in history, has dragged on into a second week. The hackers, dubbed “Mr. White Hat” by the company, are delaying the full recovery of the stolen assets by withholding the private key to the multi-signature wallet to which the stolen assets were transferred. The multi-signature wallet set up by Poly Network is jointly controlled by its team and the hackers.
On Friday, Poly Network had confirmed the return of all stolen assets, worth over US$600 million, except frozen Tether tokens worth around US$33 million, to the wallet.
At the time, Poly Network had offered the perpetrators US$500,000 as a reward. The hackers claimed not to have responded to the offer, but in a later message posted on the Ethereum blockchain, they said they were considering accepting the reward to compensate the victims of the hack.
As per the Ethereum blockchain messages by the hacker, tweeted by blockchain investigation company Elliptic’s CEO, Tom Robinson, the hackers will share the final key when “everyone is ready.” The hackers added: “Now the whole project has been monitored by the huge crowd [sic], if everyone is ready to accept the final key, I will be relieved for not being the supervisor.”
The hackers continue to claim that they attacked Poly Network for “fun,” and viewed the whole ordeal as a “game.” They wrote: “My operation continued [after finding the vulnerability], not only for fun, which was the major reason, but also for the trust issues.”
Trust issues are what’s slowing down the process of a complete handover of stolen assets, the hackers claim. They insist that their intention for the attack was to expose vulnerability in a network managing millions of dollars, and to educate and guide the DeFi world about security issues.
In a message posted yesterday, the hackers back-pedaled on their earlier stance of rejecting Poly Network’s reward, and said they were looking to accept it to fund other hackers who found vulnerabilities on Poly Network. They wrote: “I am considering taking the bounty as a bounus [sic] for public hackers if they can hack the Poly Network.”
They went on to say that they had sufficient funds to carry on the saga if Poly Network did not deliver the reward.
Meanwhile, Poly Network announced today on Immunefi, a bug bounty platform for DeFi projects, that it was launching its own reward program. The bounty offered is US$100,000 per valid bug report, with a total pool of US$500,000.
The company has also released a roadmap to normalcy. Poly Network has already patched the vulnerability exploited in the hack and launched a mainnet upgrade on Monday. Next, the firm is looking to restore all cross-chain services, recover the private key from the hackers, and resume full functionality.
Continuing a question-and-answer session from last week, the hackers revealed certain clues as to their identity. According to the answers, the hackers are non-native English speakers, and have been a “high profile hacker in the real world” working in the security industry.
The attackers also raised questions about how security teams help patch vulnerabilities, such as the one exploited in the Poly Network hack, after an attack, yet seldom flag such loopholes to prevent such events. They added that although the Poly Network’s overall design was good, they could never trust the whole team behind it.
The perpetrators seem to be far from done with hacking. In the Q&A session, they wrote: “This story has its happy ending, but it may not be the end of my wild adventure.”