While cryptocurrency hacks never happen on a small scale, the recent crypto heist at the Poly Network is huge. The cyberattack happened to pilfer $610 million worth of crypto assets. Besides being “huge”, it’s “strange” too as the attacker(s) have begun to return the stolen money.
Poly Network Crypto Heist Of $610 Million
On Tuesday, Poly Network suffered the worst cryptocurrency theft yet happened, losing $610 million worth of digital assets.
The news surfaced online after Poly Network disclosed the crypto heist via a tweet from its official account. As revealed, the hacker(s) targeted three blockchains – Binance Smart Chain (BSC), Ethereum, and Polygon – to pilfer the money.
Important Notice:
We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker's following addresses:
ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71— Poly Network (@PolyNetwork2) August 10, 2021
It turned out that the attackers actually pilfered more than initially anticipated. Precisely, the stolen money summed up to $273 million on Ethereum, $253 million on BSC, and $85 million on Polygon.
Ok so so far can confirm it's at minimum $611M
$273M on Ethereum: https://t.co/3RbPSWPYv3
$253M on BSC: https://t.co/rHSbuxSYWl
$85M on Polygon: https://t.co/TMyD7y7ZQBBut because this is a cross-chain project other chains might also be impacted?https://t.co/Ie7lGhi32p pic.twitter.com/TGxJTncimM
— Steven (@Dogetoshi) August 10, 2021
Alongside announcing the hack, the exchange also requested all miners and cryptocurrency exchanges to block any tokens from the hackers’ wallet address on the affected blockchains.
Also, the exchange explained that the attack happened due to a vulnerability that allowed a cross-chain attack.
Moreover, a security firm SlowMist further explained the vulnerability and the attack pattern in a separate post. As summarized in their post,
This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function. Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract. It is not the case that this event occurred due to the leakage of the keeper’s private key.
Hacker(s) Returning The Stolen Money
SlowMist further claimed to have tracked down the hacker via the IP address and device fingerprints.
Poly Network also urged the attacker to return the money and be a “white hat” hacker.
— Poly Network (@PolyNetwork2) August 10, 2021
Eventually, the attackers seemed to have agreed as the stolen amount began to move back to Poly Network’s wallet addresses.
Besides returning, the attacker also explained the apparent reason for the attack – to teach a lesson to Poly Network.
… I DECIDED TO LET THE SHOW GO ON! WHAT IF THEY PATCH THE BUG SECRETLY WITHOUT ANY NOTIFICATION?”
In a quick Q&A on an Ethereum transaction site, the attacker explained how he spotted the bug and went ahead to exploit it before an adversary would do. He also claimed that he never intended to keep the amount.
Besides, he elaborated on how he wanted to exploit all four blockchains – the fourth being Heco. However, the latter didn’t let him through.
As for his traceability, the hacker stated,
I UNDERSTOOD THE RISK OF EXPOSING MYSELF EVEN IF I DON’T DO EVIL. SO I USED TEMPORARY EMAIL, IP OR _SO CALLED_ FINGERPRINT, WHICH WERE UNTRACABLE. I PREFER TO STAY IN THE DARK AND SAVE THE WORLD.
He also confirmed to be in communicating with Poly Network, something that the exchange also confirmed.
Since he had posted the Q&A publicly, uses could easily share them on social media.
And another… ? pic.twitter.com/HTFdM4w0s9
— Sam MacPherson (@hexonaut) August 11, 2021
Until the time of writing this article, the attacker had returned $342 million worth of assets.
$342 million (As of 12 Aug 08:18:29 AM +UTC) of assets had been returned:
Ethereum: $4.6M
BSC: $252M
Polygon: $85MThe remaining is $268M on Ethereum
— Poly Network (@PolyNetwork2) August 12, 2021
It currently remains unclear if the hacker has stated the truth or returned the amount, fearing traceability.
For now, Poly Network awaits full recovery of the assets from “Mr. White Hat” hacker.
— Poly Network (@PolyNetwork2) August 12, 2021
Let us know your thoughts in the comments.