$600m Poly Network Hack Saga Raises More DeFi Security Questions

Posted on Sep 1, 2021 | BLOG

abstract screenshot of code

The Poly Network Hack
Crypto Industry Response
Analysis of the Poly Network Exploit
Attacker Gets Offered Bounty and Chief Security Advisor Post
Hacker Returns Over Half of the Funds
Implications of the Poly Network Hack Saga

Introduction

An audacious recent crypto hack, the biggest to date, has once again raised industry-wide concern on the security of the nascent decentralized finance (DeFi) sector as well as the centralized nature of certain blockchain platforms, which has resulted in the hacker returning nearly all of the $600 million in cryptocurrencies they absconded with. 

More than $600 million worth of ETH and other cryptocurrencies have been siphoned off the Poly Network platform in what is claimed to be the biggest single DeFi heist ever reported in the space. This prompted a response from Poly Network, along with other blockchain platforms Neo, Ontology, Binance Smart Chain (BSC), and Switcheo, asking the hacker to return the assets stolen along with a stern warning that a lawsuit might be pursued. 

The hacker has already announced their intention to accept the $500,000 reward the blockchain firm offers in exchange for the stolen funds. But as of August 22, the funds are still not completely returned. In the events leading up to the bounty offer, the self-proclaimed white-hat hacker partially transferred the funds to a multi-signature wallet prepared by the Poly team, which still requires his signature. 

This article covers the entire Poly Network saga, including how the hack happened, what position the founders offered the hacker, why the hacker returned the stolen assets, and the implications involved in this dreadfully perplexing turn of events.

The Poly Network Hack

On 10 August 2021, Poly Network disclosed that they were attacked and that assets on BSC, Ethereum, and Polygon were stolen by a hacker. In an update, the DeFi platform revealed that $273 million were stolen from the Ethereum chain, $253 from BSC, and $85 from Polygon adding up to a total of roughly $611 million, considered by the Polygon team to be the “biggest [exploit] in DeFi history”.

Following the attack, they promptly called upon miners and exchanges, asking them to blacklist tokens from the hacker’s addresses. In addition, the Poly Network team also threatened to take legal action against the hacker if they don’t return the stolen money. 

How the Crypto Space Responded

Tether froze around $33 million in USDT immediately after the announcement. Other major players in the crypto space also pledged their assistance to Poly Network, with OKEx CEO Jay Hao “watching the flow of coins” to prevent the hacker from cashing out and Binance CEO Changpeng Zhao announcing that he is coordinating with partners to “proactively help”. 

The hacker attempted to make the transfers to liquidity pools on Curve.fi but was rejected. However, they were able to successfully move funds from the BSC address to a liquidity pool on Ellipsis Finance.

Analysis of the Poly Network Exploit

On a further analysis made by the blockchain security firm BlockSec, it appears that the attacker might have changed the keeper function of the blockchain networks they attacked before unlocking the wallets and withdrawing the tokens they held.

Hash collision is one of the attack vectors presented in their analysis, citing Kelvin Fichter. According to Fichter, the attacker invoked the ‘putCurEpochConPubKeyBytes’ function and exploited the lack of validation mechanisms of different chains.

As explained by Fichter, the hacker’s attack took advantage of the platform’s ability to facilitate cross-chain transfers. The function invoked by the hacker overrode the list of bookkeepers designated to validate these transactions, making them the only bookkeepers to approve their calls to make fund transfers.

Another analysis from a Chinese blockchain security firm known as Slowmist shows that the original funds of the attacker were in XMR, which were later swapped to ETH, BNB, and other tokens.

Slowmist adds that “based on the flows of the funds and multiple fingerprint information, it is likely a long-planned, organized, and well-prepared attack”.

Attacker Gets Offered Bounty and Chief Security Advisor Post

Poly Network offered $500,000 as a reward to the attacker in exchange for returning the funds stolen from the platform. Later on, the attacker replied with a message that they were already considering accepting the bounty, which they would use as a reward to anyone else who could successfully hack the platform.

According to the hacker:

“MONEY MEANS LITTLE TO ME, SOME PEOPLE ARE PAID TO HACK, I WOULD RATHER PAY FOR THE FUN.”

“IF THE POLY DON’T GIVE THE IMAGINARY BOUNTY, AS EVERYBODY EXPECTS, I HAVE WELL ENOUGH BUDGET TO LET THE SHOW GO ON.”

Since then, Poly Network has made improvements on the platform’s mainnet, ensuring that the security protocols are further strengthened. They then prodded the hacker to return the private keys so they can “return full asset control back to the users” fast.

Poly Network also added that they consider attackers like them as “expert[s]” whom they can count on to develop the security infrastructure of the protocol, which is why they invited the head of culprits to be the network’s Chief Security Advisor.

“To extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network,” Poly Network stated.

The DeFi platform piled on the offer by declaring that they have no intention to pursue any lawsuits against the attacker, retracting their earlier statements, and even going as far as keeping the bounty offer stand despite the attacker’s intended use of the funds.

“Whatever Mr. White Hat chooses to do with the bounty in the end, we have no objections.”

Hacker Returns Almost All The Funds

In an Ethereum transaction sent to the Poly Network Exploiter address, the hacker made a transaction with a message that reads “Ready to return the fund!” After which, they also requested a multi-signature wallet from Poly Network.

As of 12 August 2021, the hacker has already returned $342 million of stolen assets: $4.6 million in ETH, $252 million in BSC, and $85 million in POLY; but there was a catch. According to the network data, there was still a total of $268 million worth of ETH unreturned. More importantly, since the wallet set-up was multi-sig, retrieving the returned assets required access to the hacker’s private keys, which they are still withholding.

By 24 August though, it was reported that almost all the $600m in funds had been returned, and that the hacker declined the $500,000 hacker bounty. 

Analysts alleged that there are multiple reasons that could have led the hacker to return the funds. Elliptic Chief Scientist Tom Robinson opined that the attack showed that even if hackers can take tokens away from protocols, cashing them out is difficult, which is why the easier and safer route they took was to return the assets. Gurvais Grigg, chief technology officer at Chainalysis, seems to agree.

Slowmist also added that it was also possible to track the identity clues related to the hacker through their mailbox, IP, and device fingerprints.

Implications of the Poly Network Hack Saga

The space has gone far in the last 2-3 years of its existence, but considering all the exploits and stolen user funds that have transpired, it appears that we are not past the experimentation stage as of yet. CipherTrace reported that DeFi-related hacks have been on the rise in 2021. In fact, 76% of the hacks in the cryptocurrency space are targeted on DeFi projects as of July 2021, a 270% increase compared to its share of attacks in 2020. 

Moreover, a major concern that is mostly overlooked is the somewhat centralized landscape of the crypto industry that is exposed through the Poly Network saga, which has allegedly helped prevent the hacker from cashing out most of the stolen tokens due to their blacklisted addresses. 

While this might have turned out in favor of the greater good, the lack of decentralization and censorship-resistance might come back and bite us one day if the industry’s status quo doesn’t change.

All things considered, maybe the space shouldn’t celebrate too early considering that it hasn’t totally solved the fundamental problems inherent in traditional finance nor its own security issues. But that couldn’t be further from the case since the crypto market is still soaring steadily, and sometimes in short bursts, despite the $600 million exploit.

Perhaps the best takeaway from this heist is not to dabble in DeFi hastily without looking at a protocol’s history of audits and avoid putting all your eggs in one basket so you won’t lose them all in one major hack. Nevertheless, we can expect millions or even billions more to be lost in DeFi exploits before all security bases are ultimately covered, which won’t happen anytime soon.