The Largest Hack in DeFi’s History: How It May Have Happened
On August 10, the interoperability protocol Poly Network experienced what unfolded to be the largest hack in DeFi history. Attacking the Poly Network on Ethereum, Binance Smart Chain, and Polygon chains, a hacker managed to make off with more than $600 million worth of digital assets.
While the network initially claimed that the hacker exploited a vulnerability between contract calls, a number of analysts have denounced that the network’s poor security practices might have led to the theft of private keys. Instead, popular theories focus on gaining access to Poly Network’s keepers.
Meanwhile, the hacker has returned a portion of the stolen funds and has shown intent to return them all. As of press time, the situation continues to develop.
Poly Network Exploitation Explained
Poly Network, a cross-chain interoperability protocol that is used to swap tokens across numerous blockchains, was exploited for a record $600 million. The hacker exploited the network across three decentralized finances (DeFi) exchanges, including Ethereum, Binance Smart Chain, and Polygon.
The attacker managed to steal more than $250 million from Binance Smart Chain, over $85 million in USDC from the Polygon network, and approximately $270 million from the Ethereum network. Following the hack, Tether froze around $33 million in USDT linked to the hacker’s address.
Poly Network took to Twitter to announce the bad news. In the early stages, the network urged miners to blacklist tokens coming from the attacker’s addresses. The network also asserted that they will take legal actions and requested the hacker to return all the stolen assets.
Chinese cybersecurity firm SlowMist asserted that it has audited the hack and has “grasped the attacker’s mailbox, IP, and device fingerprints.” SlowMist also pointed out that they are tracking the possibility that an insider from Poly Network might have assisted the hacker as it was “a long-planned, organized and prepared attack.”
Poly Network Hacker is ‘Ready To Return The Funds’
The Poly Network exploiter has shown intent to return the stolen digital assets. The hacker has already paid more than $5 million to the addresses provided by the Poly Network itself.
At around 4:00 am UTC on August 11, the hacker sent an Ethereum transaction to itself, stating:
“READY TO RETURN THE FUND !”
Subsequently, the attacker asked for a secured multi-sig wallet to return all the funds. “Failed to contact the poly. I need a secured multisig wallet from you,” the hacker embedded the message in a transaction.
At around 8 am UTC, the hacker commenced returning stolen funds in USDC on the Polygon blockchain, sending 10, 10,000, and 1 million, respectively. Since then, the hacker has transferred $1.1 million in BTCB, $2 million in SHIBA tokens, and $600,000 in FEI, a stablecoin by Fei Labs.
A number of reasons could have contributed to pushing the hacker into returning the stolen funds, the most notable ones include:
- Tether froze around $33 million of the funds
- Poly Network urged miners to blacklist stolen tokens
- Some prominent cybersecurity firms were supposedly tracking the hacker
- Executives at Binance, OKEx, and Huobi promised to help
The fact that all bodies involved in the industry attempted their best to reverse the theft was quite promising as DeFi hacks continue to burden the industry. In 2020, DeFi hacks totaled $154 million. However, BSC-based protocols alone were exploited for a whopping $370 million in the first half of 2021.
How was Poly Network Hacked?
Poly Network initially claimed that the hacker exploited a vulnerability between contract calls. However, some security auditors and researchers claimed that the network’s poor security practices might have led to the theft of transactions authorizing private keys.
Mikko Ohtamaa, with over 25 years of experience in the software development industry, said that the hacker managed to replace the four Poly Network keepers—servers that move messages between the blockchains—with the attacker him/herself. This way, the hacker became the sole authorizer of all transactions and managed to steal the funds.
Ohtamaa is not alone in this viewpoint, as some other industry experts also think so. Another blockchain developer explained all of the hacker’s steps in a long Twitter thread, calling it “genius.”
An Ethereum developer, Mudit Gupta, also believes the hacker got a hold of the keepers and rejects the vulnerability in contract calls as a cause for the hack. He explored the recent hack in great detail in his blog, saying:
“Once the keeper was in the attacker’s control, the attacker could do arbitrary cross-chain transactions on the destination blockchains even if no such transaction took place on the source blockchain.”
If all the stolen assets are recovered, what would this mean for DeFi? Let us know what you think in the comments below.