Yesterday, Poly Network was the victim of the largest cryptocurrency hack ever recorded, losing just over $611 Million. The previous largest crypto hack was back in January 2018 when Coincheck lost around $530 million, meaning PolyNetworks loss is significantly larger.
The first thing that the public know about the hack was yesterday, from a Tweet by @PolyNetwork, requesting all miners on the Binance, Ethereum, and 0xPolygon blockchains to blacklist all tokens coming from certain addresses.
Shortly after, O3Labs suspended their cross-chain function due to the attack, and PolyNetwork made an official announcement providing the three addresses to where the $611 Million was transferred.
Security Combines – Slow Mist Delivers
Not long after, OKEx Du Jun, Binance, and SlowMist started searching for details that could lead them to the attacker. It took only eight hours for SlowMist to explain how the attack happened, including all the details of the root cause, contract addresses, and the process.
A summary provided by SlowMist on slowmist.Medium.com states:
This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function. Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract. It is not the case that this event occurred due to the leakage of the keeper’s private key.
The After Effects
SlowMist has certainly proven itself as one of the best blockchain security firms on the planet. However, no one expected the outcome. The attacker has already started to return the stolen funds, with over $1 million USDC and $1.1 million BTCB returning to the designated addresses.
More surprising, the hacker created and sent a token to the Polygon address called “The hacker is ready to surrender.”
Good or Bad Hacker?
The jury is still out as to whether or not the hack was planned as malicious, a security test, or a planned proof of weakness in the Smart Contract bridge.
However, some people on Twitter are calling for PolyNetwork to hire the hacker, show them the exploits, and secure them. That is probably a very long shot, with little chance, though.