The saga behind $610 million Poly Network cryptocurrency theft — everything we know about the mysterious hacker behind the attack and what went down over the last three days
- The theft of $610 million from the blockchain platform, Poly Network, is the biggest in the crypto space so far.
- The mysterious hacker behind the heist highlighted vulnerabilities in their technology, then returned all the funds while refusing bounty.
- With improved security on crypto exchanges, hackers have been looking at decentralised finance (DeFi) to get their hands on cryptocurrencies like Ethereum, Bitcoin, and others.
According to the four-part question & answer series they have attached to their transactions as comments while returning the funds, the hacker claims to not be ‘evil’. He only took up this drastic step because he was paranoid that the Poly Network team would fix the glitch without informing anyone about it.
This hack was directed at Poly Network, a decentralised finance (DeFi) platform that facilitates users that lend, borrow, exchange or trade cryptocurrencies – and earn or pay interest while doing so. Cryptocurrencies worth $65 billion were locked into DeFi platforms, as of May 2021.
How did the hacker steal $610 million from the Poly Network?
The hacker claims to have noticed a security hole in how Poly Network uses ‘smart contracts’ called tokens to trade cryptocurrencies, explained in a tweet thread by Kelvin Fichter, a blockchain developer.
Poly Network is a ‘cross chain’ platform that tries to help users communicate across completely different blockchains. This means being able to make transactions across Bitcoin, Ethereum, Ontology, Binance Smart Chain, and so on.
While using ‘blockchain interoperability’ to solve one problem of cryptocurrencies – siloed communication within separate blockchains – Poly was exposed as vulnerable by the hacker and jeopardised their users’ money instead.
Like all software, Poly seems to have had a bug that was not identified until now, an instruction that was used only internally and should not have been possible to access by those outside the company.
As posited by Fichter on Twitter and confirmed by the hacker’s comments, the hacker sent out a message through the Ontology blockchain network to use a special internal instruction called EthCrossChainManager. That resulted in transferring ownership of other smart contracts, and thus the cryptocurrency underpinning those contracts, to wallets controlled by the hacker.
The largest haul in crypto history
As a result, the hacker took over ownership of $610 million worth of cryptocurrency – denominated in 12 different currencies including Ether coins, Binance Smart Chain coins and Polygon tokens.
Source: Poly Network
|Stolen asset||Amount stolen|
|Binance Smart Chain||$253 million|
AdvertisementThe quantum of loss meant that Poly wasn’t going to hush up a security breach – they tweeted an open letter that began with ‘Dear Hacker’, declared it a major economic crime, and advised that a solution be worked out to return the hacked assets. A cybersecurity firm called SlowMist helped analyse the attack, but the hacker remains unidentified so far.
He saw, he conquered - and then gave it all back?
The hacker claimed to have exchanged a portion of the currency for stablecoins — like Tether and USD Coin — to gain interest on the amount while negotiating with the company to return the money.
AdvertisementAs of 12 August 2021, the company has recovered $342 million of the $610 million that was hacked, with $268 million in Ether coins still pending.
A ‘saint’ of cryptocurrency
The same day after the successful hack, the unidentified hacker conveyed messages to Poly Network through transaction comments – first saying “Ready to return the fund!” and that, “The hacker is ready to surrender.”
From their stated perspective, the hacker took control of the money to keep it safe. They saw a bug that could be exploited to acquire millions, and felt nobody could be trusted with the information. In their Q&A, they claim the vulnerability had to be exposed before an insider within the company could hide or benefit from it.
Despite having hacked the Poly Network, they still say it is ‘decent’, a ‘well designed system’, and a ‘challenge’ they enjoyed. They claim leaving lower-volume coins out of the hack, and not selling the coins they did take over, were steps they took to avoid a ‘real panic of the crypto world’.
They hope the Poly team ‘learn something from those hacks’, and want to give them tips on securing their networks, so they ‘can be eligible to manage the billion project’ in the future. They claim to have ‘enough money’, want adventures, fight fate and dread death.
They seem to indicate that ‘DeFi security’ is hackable, but ‘not enjoyable’ as a real hacker. They mention a selfish motive to be ‘cool’, that ‘cross chain hacking is hot’, but chose to refund the hack as they wanted to be ‘the moral leader’.
In continued exchanges through transaction comments, Poly Network appreciated the 'white hat behavior' and offered a bounty of $500,000 in return. The hacker did not accept the bounty offer, responding with "I will send all of their money back."
The Poly Network hacker is now saying that they were offered a $500k bounty to return the stolen assets - but that… https://t.co/qw337WsuW7— Tom Robinson (@tomrobin) 1628784566000
What happens next?
Poly Network’s bridge, which acts as an intermediary for multiple chains and is a major part of a cross-chain platform, was temporarily closed as of 13 August 2021. It is expected to open when the hack is resolved and the site regains full functionality.
If Poly Network presses charges, a legal case might exist to proceed against the hacker. However, the hacker dubbed ‘Mr White Hat’ is co-operating with the company and seems to want their vulnerabilities fixed. No legal charges have been opened so far.
As seen from earlier attacks on DeFi systems, and the hacker’s comments, it would seem that security of DeFi systems is still evolving. So the question of whether to expect more hacks on other such centralised systems that use cryptocurrencies, is an open one.
Major cryptocurrencies themselves are relatively safer, because of the built-in security, architecture that doesn’t expect trusted insiders, their decentralised nature and continuous bug fixes by the community.
Large DeFi attacks this year
According to an August 2021 report by crypto intelligence firm CipherTrace, DeFi-related hacks are trending upward in 2021.
DeFi-related hacks at $361 million accounts for 76% of crypto-hacks so far this year, compared to $129 million or 25% of the total crypto hacks for all of the year 2020. Cross-chain DeFi exchanges suffered a lot, as shown in the three examples below.
Inferring from the events of these three days, the Poly Network exploit could serve as a warning for future developers in the crypto and blockchain space. The probable direct impact of this hack went from an earthquake that could ruin investors, to a remarkably tame ending where all parties involved may come out unscathed.
|July 2021||THORChain||$13 million||Was attacked twice, lost various currencies. They recovered $8 million the second time, after paying the hacker a bug bounty.|
|July 2021||ChainSwap||$8.8 million||Was attacked twice, lost smart contract assets. The hackers remain at large.|
|May 2021||Rari Capital||$10 million||Lost crypto assets due to an ‘evil contract’ exploit. The hackers weren’t found, Rari’s developers (which they called contributors) paid a portion of their incentives to reimburse affected users.|
|May 2021||PancakeBunny||$45 million||Lost value of their BUNNY token due to a ‘flash loan’ exploit. Its value dropped by 96%, from $146 to $6. The attackers weren’t caught, and the token’s value is still down by 90% even three months later.|
However, the indirect impact may be upon the funding of crypto exchanges, coin offerings, and DeFi platforms – all of which have been raising capital at a frenetic pace. Where the money until now favoured innovations and first movers, this incident would shine a brighter light on the internal security of ventures.
CoinDCX becomes India’s first crypto unicorn as it joins the leagues of Binance, Robinhood, Ripple, and others
Hacker behind $610 million crypto hack conducts AMA — claims returning the money was always ‘a part of the plan’
Crypto markets are recovering, and mining companies in North America are raking in the gains
Popular on BI
- Vodafone Idea, Zee Entertainment, Airtel and other top stocks to watch out for on September 23
- It’s good that India wants just two GST slabs but it has to ensure it doesn’t hurt consumers
- Best car seat for kids in India
- Best glass feeding bottle for newborn babies in India
- Best toddler bags for kids in India