The saga behind $610 million Poly Network cryptocurrency theft — everything we know about the mysterious hacker behind the attack and what went down over the last three days

• The theft of $610 million from the blockchain platform, Poly Network, is the biggest in the crypto space so far.
• The mysterious hacker behind the heist highlighted vulnerabilities in their technology, then returned all the funds while refusing bounty.
• With improved security on crypto exchanges, hackers have been looking at decentralised finance (DeFi) to get their hands on cryptocurrencies like Ethereum, Bitcoin, and others.

In the single largest cryptocurrency hack so far,$4 was stolen on August 10, 2021 by a ‘white hat’ hacker. The self proclaimed do-gooder claims to have breached the system and stolen $610 million in $4 — Ethereum, Binance Smart Chain and Polygon tokens — simply because he wanted to highlight the vulnerabilities of the $4 blockchain platform.

According to the $4-part$4 they have attached to their transactions as comments while returning the funds, the hacker claims to not be ‘evil’. He only took up this drastic step because he was paranoid that the Poly Network team would fix the glitch without informing anyone about it.

This hack was $4 Poly Network, a decentralised finance (DeFi) platform that facilitates users that lend, borrow, exchange or trade cryptocurrencies – and earn or pay interest while doing so. Cryptocurrencies worth $65 billion were locked into DeFi platforms, as of$4.

How did the hacker steal $610 million from the Poly Network?

The hacker claims to have noticed a security hole in how Poly Network uses ‘smart contracts’ called tokens to trade cryptocurrencies, explained in a$4 by Kelvin Fichter, a blockchain developer.

Poly Network is a ‘cross chain’ platform that tries to help users communicate across completely different blockchains. This means being able to make transactions across Bitcoin, Ethereum, Ontology, Binance Smart Chain, and so on.

While using $4 to solve one problem of cryptocurrencies – siloed communication within separate blockchains – Poly was exposed as vulnerable by the hacker and jeopardised their users’ money instead.

Like$4, Poly seems to have had$4 that was not identified until now, an instruction that was used only internally and should not have been possible to access by those outside the company.

As posited by Fichter on Twitter and confirmed by the hacker’s comments, the hacker sent out a message through the Ontology blockchain network to$4 internal instruction called EthCrossChainManager. That resulted in transferring ownership of other smart contracts, and thus the cryptocurrency underpinning those contracts, to wallets controlled by the hacker.


The largest haul in crypto history
As a result, the hacker took over ownership of $610 million worth of cryptocurrency – denominated in 12 different currencies including Ether coins, Binance Smart Chain coins and Polygon tokens.

Stolen asset	Amount stolen
Ethereum	$273 million
Binance Smart Chain	$253 million
Polygon	$85 million
Edit

Source: Poly Network

The quantum of loss meant that Poly wasn’t going to hush up a security breach – they$4 that began with ‘Dear Hacker’, declared it a major economic crime, and advised that a solution be worked out to return the hacked assets. A cybersecurity firm called SlowMist$4 the attack, but the hacker remains unidentified so far.

He saw, he conquered - and then gave it all back?

The hacker claimed to have exchanged a portion of the currency for stablecoins — like Tether and USD Coin — to gain interest on the amount while negotiating with the company to return the money.

As of 12 August 2021, the company has$4 of the $610 million that was hacked, with $268 million in Ether coins $4.

A ‘saint’ of cryptocurrency

The same day after the successful hack, the unidentified hacker conveyed messages to Poly Network through transaction comments – first saying “Ready to return the fund!” and that, “The hacker is $4.”


From their stated perspective, the hacker took control of the money to keep it safe. They saw a bug that could be exploited to acquire millions, and felt nobody could be trusted with the information. In their Q&A, they claim the vulnerability had to be exposed before an insider within the company could hide or benefit from it.


Despite having hacked the Poly Network, they still say it is ‘decent’, a ‘well designed system’, and a ‘challenge’ they enjoyed. They claim leaving lower-volume coins out of the hack, and not selling the coins they did take over, were steps they took to avoid a ‘real panic of the crypto world’.


They hope the Poly team ‘learn something from those hacks’, and want to give them tips on securing their networks, so they ‘can be eligible to manage the billion project’ in the future. They claim to have ‘enough money’, want adventures, fight fate and dread death.


They seem to indicate that ‘DeFi security’ is hackable, but ‘not enjoyable’ as a real hacker. They mention a selfish motive to be ‘cool’, that ‘cross chain hacking is hot’, but chose to refund the hack as they wanted to be ‘the moral leader’.


In continued exchanges through transaction comments, Poly Network appreciated the 'white hat behavior' and $4 of $500,000 in return. The hacker did not accept the bounty offer, responding with "I will send all of their money back."


What happens next?
Poly Network’s$4, which acts as an intermediary for multiple chains and is a major part of a cross-chain platform, was temporarily closed as of 13 August 2021. It is expected to open when the hack is resolved and the site regains full functionality.

If Poly Network presses charges, a legal case might exist to proceed against the hacker. However, the hacker $4 ‘Mr White Hat’ is co-operating with the company and seems to want their vulnerabilities fixed. No legal charges have been opened so far.

As seen from earlier attacks on DeFi systems, and the hacker’s comments, it would seem that security of DeFi systems is still evolving. So the question of whether to expect more hacks on other such centralised systems that use cryptocurrencies, is an open one.

Major cryptocurrencies themselves are relatively safer, because of the built-in $4, architecture that doesn’t expect trusted insiders, their decentralised nature and continuous bug fixes by the community.

Large DeFi attacks this year
According to an$4 by crypto intelligence firm CipherTrace, DeFi-related hacks are trending upward in 2021.

DeFi-related hacks at $361 million accounts for 76% of crypto-hacks so far this year, compared to $129 million or 25% of the total crypto hacks for all of the year 2020. Cross-chain DeFi exchanges suffered a lot, as shown in the three examples below.

Month	DeFi entity	Loss	Description
July 2021	THORChain	$13 million	Was attacked twice, lost various currencies. They recovered $8 million the second time, after paying the hacker a bug bounty.
July 2021	ChainSwap	$8.8 million	Was attacked twice, lost smart contract assets. The hackers remain at large.
May 2021	Rari Capital	$10 million	Lost crypto assets due to an ‘evil contract’ exploit. The hackers weren’t found, Rari’s developers (which they called contributors) paid a portion of their incentives to reimburse affected users.
May 2021	PancakeBunny	$45 million	Lost value of their BUNNY token due to a ‘flash loan’ exploit. Its value dropped by 96%, from $146 to $6. The attackers weren’t caught, and the token’s value is still down by 90% even three months later.
Edit

Inferring from the events of these three days, the Poly Network exploit could serve as a warning for future developers in the crypto and blockchain space. The probable direct impact of this hack went from an earthquake that could$4 investors, to a remarkably tame ending where all parties involved may come out unscathed.

However, the indirect impact may be upon the funding of crypto exchanges, coin offerings, and$4 platforms – all of which have been$4 at a frenetic$4. Where the money$4 favoured innovations and first movers, this incident would shine a brighter light on the internal security of ventures.

SEE ALSO:
$4

$4

$4