Poly Network Hack

NinjaWingnut Crypto
6 min readAug 16, 2021

--

While I was on vacation, the largest cryptocurrency hack took place, where the Poly Network was hit for over $600 million dollars in crypto, spread across three different blockchains. I figured this would be a good thing to cover in my first post back, especially since it appears it will have a relatively happy ending.

One thing to make clear, as I’ve seen a few people make the mistake, Poly Network is not the same thing as Polygon (MATIC). One is integrated with the other, but they are not the same thing, or run by the same people, they just share a similar name.

For the usual disclosure, I am not a financial advisor, I don’t even work in finance at all. My day job is as a telecommunications software engineer. Treat everything you read here as some educational resources and not financial advice.

What Is Poly Network

Poly Network is basically a cross chain bridge that allows you to move funds between different blockchains using less steps than if you had to go through a centralized authority. It utilizes smart contracts on the different blockchains to track the funds that are deposited on one chain, and allow the release of the funds on the other.

It supports quite a few chains, and other than this hack, the technology has been pretty sound. They are able to facilitate the cross chain transaction pretty quickly, and have moved a significant amount of volume, just under $11 billion dollars. But of course this one mistake is a pretty big one, so don’t take that as me throwing a ringing endorsement behind them.

The Hack

I won’t get super detailed into how the hacker pulled off the attack, there are plenty of articles and videos about that, and I try not to get super technical in my articles, to make them more accessible to people. If you really want to get into the nitty gritty, I’d recommend these two articles by BlockSec: Article One Article Two which are the ones I’ve found to give the best and most clear walk through the attack vectors and code.

Basically, the hacker was able to use one transaction with a forged function call signature to generate transactions on the Poly chain itself. The hacker could then use that transaction that was stored on the Poly chain as input to another transaction on say Ethereum, and managed to get the contracts to give his address control over them.

Once they had control over the contract, it was as simple as making a few more function calls to unlock all the funds and send them flying out of the contracts and into their wallet. They managed to pull the attack off on three different chains, landing them in the history books as currently the largest cryptocurrency hack.

Aftermath

In the aftermath of the attack, a lot of interesting things happened. First, the hacker has returned most of the funds that they took, claiming that was always their intention and they were not interested in money, but more in the fame of the hack. They even did a Q&A in the transaction notes as they returned the funds. I don’t actually buy that, because of some of the other things that went on.

Tether (USDT) locked the wallet from being able to move any of the USDT they stole, which shows the power the central authority has over these tokens, so always something to keep in mind, even if you’re not planning on doing anything nefarious.

Some random user tipped off the hacker to this lockdown, by sending them a transaction with a note in it, and for their help, the hacker sent them 13.37 ETH. Interesting thing to do if you were always planning on returning it, because they handed out over $40,000 of stolen money, all because they said they felt the warmth from the community.

Another interesting thing is they tried to send some of the funds to a mixing service, so they could break the link between the stolen funds and wherever they tried to offload it, but those transactions failed because of the USDT lock. Again, that doesn’t seem like something a white hat hacker would do, but we’ll never know what their intentions were with trying to use the mixer as that failed.

They also traded in a bunch of crypto for stablecoins, which they went and staked to earn interest on. I won’t name the platform they used their, because I don’t want it to seem like I am looking down on them for facilitating it, because I think locking down decentralized platforms goes against the open and free nature of cryptocurrency.

Note, I do not condone hacking and stealing funds, or any other nefarious way of acquiring crypto, but I also think that it should come down to the KYC bound organizations, where fiat on/off ramping occurs, to be responsible for that level of policing, not the decentralized communities where freedom and openness is the name of the game.

Poly Network also looked to the miner community to try and blacklist the wallets, which is a little weird, given two of the three chains that were hit don’t use miners and use a different validation method. I’m honestly surprised they didn’t appeal to Binance in an attempt to get them to lock it out on their validators, as that would be a more viable play, but again, one I don’t agree with.

It should not be up to the miners or validators to police the network, and I personally think that type of action is a slippery slope and goes against the whole reason crypto was created and thrives. I don’t think services like crypto mixers should exist, everyone should own their own actions and there should be a public trail through the ledger to follow every satoshi.

The funds are being returned back to the end users by the Poly Network, and the hacker turned down an offer for a bug bounty reward, my guess is because they don’t want it to be traceable back to them. I think the public outcry against them made them turn back on their original plans, return all the money, and hope to disappear back into the shadows without being identified.

Conclusions

Even though most of the funds have been returned, and the hacker decided to not keep any money, I’m still crowning this as the current largest crypto hack to have gone down to date. There will be more, there will be bigger, but currently this one is the champion.

I think Poly Network botched their response, calling on miners to blacklist addresses, and trying to look to the community to police the blockchain directly just feels like the wrong move to me. Tracing the money and tracking them to a KYC bound central point, as that is really the only way that jives with how I think crypto is envisioned and how it should be used.

I’m glad it seems it will turn out well in the end, the community managed to apply pressure to the hacker and appeal to whatever side of them convinced them to return the funds, which is another acceptable way to police it, the court of public opinion, and the knowledge that they would likely be identified eventually.

Socials And Other Links

Find me on social media on Twitter, Facebook, Instagram, Telegram and noise.cash.

If you enjoyed this content, you can check me out every weekday. My posts start at my website, but you can also find them cross posted at Publish0x, LeoFinancial, Hive, and read.cash.

You can also sign up for my newsletter which I send out every Friday with news and whatnot from the crypto space, delivered right to your inbox!

You can also find links to resources such as research and news sites over at this link.

Want some more content right now? Check out some of my previous posts:

Rug Pulls
Rollups
Yam

A few referral links, in case you are interested in the service, and it also helps me out.

Binance — large centralized exchange — referral link saves you 10% on trading fees
Coinbase — basic crypto exchange — referral link gets you bonus crypto on first deposit
Cointiply — very good crypto faucet and earning site — no bonus for you on this referral unfortunately

Originally Posted On My Website: https://ninjawingnut.xyz/2021/08/16/poly-network-hack/

--

--