Reported as the largest Decentralized Finance (DeFi) Platform hack, Poly Network is the most recent addition to the high value list of victims of crypto attack. It was robbed of around $600 million crypto tokens.
Poly Network is a blockchain system that provides a platform for cross-chain interactive services. It allows authorized homogeneous and heterogeneous public blockchains to connect to Poly Network through an open, transparent admission mechanism and communicate with other blockchains.
Going by the name Mr. White Hat, the hacker stole approximately $600 million in bitcoins from the Poly platform and took control of the user assets. According to Twitter updates the company shared that, less than 48 hours into the hack, the stolen tokens were being returned.
The company first announced the breach on 10th August on its official twitter handle @PolyNetwork2
The post read:
We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s following addresses:
— Poly Network (@PolyNetwork2) August 10, 2021
Twitterati went into a flurry of activity and #polynetworkhack was the most tweeted hack of the day.
The Poly Network Vulnerability
- At the center of the attack is the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract that can execute specific cross-chain transactions through the _executeCrossChainTx function.
- Since the owner of the EthCrossChainData contract is the EthCrossChainManager contract, the EthCrossChainManager contract can modify the keeper of the contract by calling the putCurEpochConPubKeyBytes function of the EthCrossChainData contract.
- The verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can perform user-specified cross-chain transactions by calling the _executeCrossChainTx function internally. So, the attacker only needs to pass in the carefully constructed data through the verifyHeaderAndExecuteTx function for the _executeCrossChainTx function to execute the call to the EthCrossChainData contract PutCurEpochConPubKeyBytes function to change the keeper role to the address specified attackers.
- After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.
- Simply put, the hacker exploited a smart contract vulnerability that is used by the Poly Network platform to exchange crypto coins between blockchains. The hackers managed to strike gold in Ether, a type of bitcoin in addition to 12 different cryptocurrencies in their steal.
DeFi is an attractive platform for the crypto market and rapidly growing with increased acceptance. As the industry captures market share, it is a lucrative target for hackers at it is still in its nascent stage but operates with large financial volumes.
DeFi related hacks total $361 million
According to CipherTrace “Cryptocurrency Crime and Anti-Money Laundering Report, August 2021”, major crypto thefts, hacks, and frauds totaled $681 million by July 21. Revealing insights related to Decentralized Finance hacks and frauds the report pegged the market loss at $361 million, 76% of major hack volume in 2021.
- By the end of July 2021, major crypto thefts, hacks, and frauds totaled $681 million
- At $361 million, DeFi-related hacks make up 76% of major hack volume in 2021
- By the end of July 2021, DeFi hacks have already increased more than 2.8X from 2020
- At $113 million, DeFi-related fraud makes up 53% of major fraud volume in 2021
- By the end of July 2021, DeFi fraud have already increased more than 2.7X from 2020
The cryptocurrency market is gaining wider acceptance and is becoming a platform of choice for businesses. The market is still unregularized and not matured. With absence of regulation the platform is vulnerable to security attacks as there is no legal accountability. These incidents are wake up calls where the transactions could have touched billions as touted by the hacker in a Q & A, shared by CipherTrace. As the business volumes spiral upwards so will the stolen assets.