Hackers stole more than $600 million in an attack on cross-chain protocol Poly Network

A protocol for swapping cryptocurrencies across multiple blockchains, Poly Network was hit by the largest DeFi hack to date.
Poly Network urges miners of affected blockchains and exchanges to block hacked funds.
Tether has blacklisted nearly $33 million worth of stolen USDT, and these tokens can no longer be moved on the blockchain.

An unusual issue on the protocol led to the hack; no single keeper was responsible for the attack.

Poly Network victim of largest DeFi hack, tokens on Ethereum, Binance Smart Chain and USD Coin network stolen

Poly Network announced that the cross-chain protocol was hacked for more than $600 million worth of cryptocurrencies. The victim of the attack is a protocol that was formed by an alliance between teams behind Neo, Ontology, and Switcheo. Poly network protocol is used for swapping tokens across blockchains like Bitcoin, Ethereum, and Ontology.

The attackers stole $273 million in Ethereum tokens, tokens worth $253 million on Binance Smart Chain, and $85 million in tokens on USD Coin.

Important Notice:
We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker's following addresses:
ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71
— Poly Network (@PolyNetwork2) August 10, 2021

Poly Network team has urged exchanges and miners to block stolen funds. The cross-chain protocol called on Binance, Coinbase Pro, Huobi Global, OKEx, Tether and Circle to take immediate actions.

The hacker attempted to launder the stolen funds by depositing them on Curve.fi, an exchange liquidity pool. The first few attempts were rejected by the mining pool. However, subsequent attempts were successful. Colin Wu, a Chinese journalist, revealed further details of the attacker's deposits on Curve finance in his tweet:

The Ethereum address 0xC8a65 that stolen PolyNetwork funds began to try to deposit funds into https://t.co/AAn7stOsmU. Money laundering. The first few transaction attempts may be rejected by the mining pool and failed, but the subsequent transaction was successfully... pic.twitter.com/YbbGA9Xvyc
— Wu Blockchain (@WuBlockchain) August 10, 2021

The initial deposit attempts by the hacker failed since the Tether team had blacklisted the USDT tokens involved in the transfer.

. @Tether_to just froze ~33M $USDt on 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 as part of the #PolyNetwork hack https://t.co/EviPTAkQJD
— Paolo Ardoino (@paoloardoino) August 10, 2021

Interestingly, the tokens that the hacker attempted to deposit on Curve.fi came from a Binance smart chain address (beginning with 0x0D6e286). This implies that the stolen funds were not blocked on BSC.

Changpeng Zhao (CZ), CEO of Binance, stated in his recent tweet that no one controls BSC (or Ethereum), and the exchange has requested security partners to help Poly Network proactively.

We are aware of the https://t.co/IgGJ0598Q0 exploit that occurred today. While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can. Stay #SAFU. https://t.co/TG0dKPapQT
— CZ Binance (@cz_binance) August 10, 2021

In a letter addressed to the hacker, the team states that they want to establish communication with the hacker and suggest that the assets be returned since law enforcement will regard the offense as a major economic crime.

pic.twitter.com/Yzw4oDenjC
— Poly Network (@PolyNetwork2) August 10, 2021

The Poly Network has completed its preliminary investigation of the hack and located the cause of the vulnerability.

The exploit was not caused by a single keeper (utility actors that maintain the blockchain network), instead, the hacker exploited a vulnerability between contract calls. Cross-chain smart contract calls distribute computing, storage, network resources and ecology among blockchains.

The implications of the attack extend beyond the Poly Network. O3, a trading pool that uses Poly Network for cross-chain swapping, has suspended the functionality.

Blockchain security firm tracks down the attacker's device fingerprint, IP info and email address

SlowMist, a blockchain security firm, stated that they have tracked down the attacker's ID and tracked them. According to SlowMist, the hacker exchanged original funds in Monero for Binance coin, Ethereum, Matic and other tokens and used these cryptocurrencies to fund the attack on Poly Network.

1)The cross-chain interoperability protocol @PolyNetwork2 was attacked, and a total of more than 610 million US dollars were transferred to 3 addresses. The impact caused the transfer of large assets of the O3 Swap cross-chain pool.
— SlowMist (@SlowMist_Team) August 10, 2021

Blue, CTO at SlowMist, said,

We told [Poly Network/O3] that we have some information about the hacker; if they need, we will share it to them.

The hacker may likely respond to Poly Network's attempt at recovering the stolen funds since a transaction from one of the attacker's wallets included a message:

IT WOULD HAVE BEEN A BILLION HACK IF I HAD MOVED REMAINING SHITCOINS! DID I JUST SAVE THE PROJECT? NOT SO INTERESTED IN MONEY, NOW CONSIDERING RETURNING SOME TOKENS OR JUST LEAVING THEM HERE.

The hack that Poly Network suffered is the largest DeFi hack since it accounts for over 58.2% of the market cap of all decentralized finance tokens.

Lucas Nuzzi, Network data product manager at Coin Metrics, slammed the Poly Network team and explained that "The Poly hack" seems to be enabled by how Poly-Bridge validates cross-chain transactions, not smart contract languages.

The primary design goal of a cryptocurrency is to protect user funds.

Projects like Poly, which copied most of their codebase from other projects, simply cannot achieve that goal.

When an inevitable disaster happens, every single project integrated with them is impacted.
— Lucas Nuzzi (@LucasNuzzi) August 10, 2021

Share: Cryptos feed

Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.

If not otherwise explicitly mentioned in the body of the article, at the time of writing, the author has no position in any stock mentioned in this article and no business relationship with any company mentioned. The author has not received compensation for writing this article, other than from FXStreet.

FXStreet and the author do not provide personalized recommendations. The author makes no representations as to the accuracy, completeness, or suitability of this information. FXStreet and the author will not be liable for any errors, omissions or any losses, injuries or damages arising from this information and its display or use. Errors and omissions excepted.

The author and FXStreet are not registered investment advisors and nothing in this article is intended to be investment advice.