In a shocking turn of events, hackers have managed to breach the security of PolyNetwork, a cross-chain protocol that enables interoperability between multiple blockchains. The hackers exploited a vulnerability in the contract logic of PolyNetwork, allowing them to transfer tokens from the protocol’s pools to their own addresses. According to PolyNetwork’s official Twitter account, the hackers stole tokens worth about 403 ETH, or roughly $1.2 million at the time of writing.
The protocol uses smart contracts to facilitate the cross-chain transactions and relies on a network of validators to ensure the security and validity of the transfers. However, it seems that the hackers found a way to bypass the validators and execute unauthorized transfers from the protocol’s pools.
The hackers targeted three pools: Ethereum, Binance Smart Chain, and Polygon. They transferred tokens such as ETH, USDC, DAI, SHIB, WBTC, and more to their own addresses. The largest amount was stolen from the Ethereum pool, where the hackers drained 403 ETH. The hackers also tried to transfer tokens from the Polygon pool to the Binance Smart Chain pool but failed due to an error in the contract code.
Tekedia Mini-MBA edition 14 (June 3 – Sept 2, 2024) begins registrations; get massive discounts with early registration here.
Tekedia AI in Business Masterclass opens registrations here.
Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.
PolyNetwork has issued an emergency announcement on Twitter, urging all users and exchanges to blacklist the addresses used by the hackers, and requesting the hackers to return the stolen funds. The protocol has also stated that it is working on a solution to recover the assets and resume normal operations as soon as possible. PolyNetwork has apologized for the incident and promised to take full responsibility for the losses.
The hack of PolyNetwork is another reminder of the risks and challenges involved in the decentralized finance (DeFi) space, where users entrust their funds to complex and experimental protocols that may contain bugs or vulnerabilities. While cross-chain interoperability is a desirable feature for DeFi users, it also introduces new attack vectors and dependencies that may compromise the security.
According to a post-mortem report published by the Ploynetwork team, the hackers exploited a flaw in the smart contract that handles the minting and burning of PLY tokens, the native currency of the platform. The hackers were able to mint an arbitrary amount of PLY tokens and use them to drain the liquidity pools of other tokens, such as ETH, USDC, and DAI.
The Ploynetwork team said that they discovered the attack on July 1st at 11:15 PM UTC, and immediately paused the smart contract and contacted their security partner, CertiK, to investigate the incident. They also said that they are working with law enforcement agencies and other partners to track down the hackers and recover the stolen funds.
The Ploynetwork team apologized to their users and community for the breach and assured them that they are taking all necessary steps to prevent such incidents from happening again. They also said that they will compensate the affected users for their losses and will share more details on the compensation plan soon.
However, on August 10, 2021, PolyNetwork suffered a massive security breach that resulted in the loss of over $600 million worth of tokens, including 403 ETH (worth about $1.2 million at the time). This was one of the largest hacks in the history of decentralized finance (DeFi).
According to PolyNetwork’s official announcement, previously the hackers exploited a vulnerability in the contract function that handles cross-chain requests. This function is supposed to verify the signatures of different chain managers before executing the requests. However, the hackers found a way to bypass this verification and forge fake signatures that allowed them to access the funds stored in PolyNetwork’s contracts.
The hackers used this exploit to send cross-chain requests from Ethereum, Binance Smart Chain and Polygon to PolyNetwork’s contracts on each chain. They then transferred the funds from these contracts to their own addresses on each chain. The total amount stolen was:
2,858 ETH ($8.6 million) from Ethereum.
6,610 BNB ($2.5 million) and 21,952 BSC-based tokens ($252 million) from Binance Smart Chain.
1,032 WBTC ($40 million), 96,023 USDC ($96 million), 2,673,185 USDT ($2.7 million) and other tokens ($85 million) from Polygon.
The hackers also left a message on Ethereum’s blockchain, saying “The hacker is ready to surrender” and asking for a multi-sig wallet address to return the funds.
The hack caused a huge shockwave in the DeFi community and triggered a swift response from various parties. PolyNetwork immediately issued an open letter to the hackers, urging them to return the stolen funds and offering them a $500,000 bounty as a reward. PolyNetwork also asked miners, exchanges and wallet providers to blacklist the hackers’ addresses and freeze their assets.
Meanwhile, some of the projects whose tokens were stolen also took action to mitigate the damage. For example, Tether (USDT) froze $33 million worth of USDT that were sent to the hackers’ address on Polygon. O3 Swap (O3), a cross-chain aggregator that lost $5 million worth of O3 tokens in the hack, announced that it would issue new O3 tokens to replace the stolen ones and burn the old ones.
Surprisingly, the hackers started to return some of the stolen funds on August 11, 2021. They sent back $258 million worth of tokens to PolyNetwork’s addresses on Ethereum, Binance Smart Chain and Polygon. They also communicated with PolyNetwork via embedded messages on Ethereum’s blockchain, claiming that they hacked PolyNetwork “for fun” and wanted to expose its security flaws. They also said that they did not intend to cause any harm and that they were “not very interested in money”.
As of August 13, 2021, the hackers have returned almost all of the stolen funds, except for $33 million worth of USDT that are frozen by Tether. PolyNetwork has set up a multi-sig wallet with the participation of several reputable individuals from the DeFi community, such as Vitalik Buterin (the founder of Ethereum), Da Hongfei (the founder of Neo) and Changpeng Zhao (the CEO of Binance). The hackers have agreed to transfer the remaining funds to this wallet and cooperate with PolyNetwork to complete the recovery process.
The PolyNetwork hack has raised many questions and concerns about the security and trustworthiness of DeFi protocols and cross-chain solutions. It has also highlighted the importance of code audits, bug bounties and white hat hackers in preventing and detecting vulnerabilities.
Moreover, the hack has shown that DeFi is not immune to human factors and social engineering. The hackers’ decision to return the funds was influenced by various pressures and incentives from PolyNetwork, other projects, law enforcement agencies and the public opinion. The hackers’ identity and motivation remain unknown and mysterious.
The PolyNetwork hack is a wake-up call for the DeFi industry and a reminder of the risks and challenges that come with innovation and experimentation. It also demonstrates the resilience and collaboration of the DeFi community in times of crisis and the potential of DeFi to create a more open, transparent and inclusive financial system.