CertiK Logo
CertiK Logo
Products
Company
incident-response
Back to all stories
Analysis Reports
Poly Network Exploit
12/3/2022
Poly Network Exploit

TL;DR

On August 10, 2021 the cross-chain interoperability protocol Poly Network was attacked by hackers resulting in ~$610 million loss worth of digital tokens. Nearly all of the money was returned by the hacker the next day .

Summary

The Poly Network Hack is considered to be one of the largest “crypto hacks” in history, targeting cross-chain decentralized finance (DeFi) platform. Poly Network is designed to let users swap tokens from one digital ledger to another. Overall, it enables users to make transactions across different blockchains without having to convert the digital coins in an exchange. On August 10, 2021 a hacker breached the blockchain-based Poly Network platform to steal ~$610 million worth of crypto. The hack was possible due to the mismanagement of access rights between two vital Poly Network's smart contracts: EthCrossChainManager and EthCrossChainData. Following the hack, Poly Network instructed all crypto miners and exchanges to blacklist the stolen funds, making them de facto unavailable for the hacker.

Within 24 hours, an anonymous person claiming to be the hacker said they were ready to return the funds. The identity of that hacker has never been revealed though. Poly Network asked them to send the money to three crypto wallets. A few hours later, the hacker returned $342 million or around half of the stolen amount. The remaining $268 million of assets were locked in an account that requires passwords from both Poly Network and the hacker to access.

Poly Network pleaded with the hacker, who they called “Mr. White Hat,” to provide the “private key” necessary to retrieve the money. The firm offered a $500,000 "bug bounty" and a job to be the company's chief security advisor to the hacker if the funds were sent back, of which both offers were declined.

Thirteen days after the incident took place, Poly Network released an update announcing that the hacker had publicly shared the private key needed to regain control of the remaining assets through an on-chain message. The announcement stated that Poly Network successfully retrieved the remaining funds and has fully recovered all the user assets that were transferred out during the attack. Some have stated that the hacker returned the funds because the attacker realized that it was difficult to launder the money and cash it out since the coins are publicly recorded on the blockchain. The hacker refuted that in a message embedded in a crypto transaction saying that they were "quitting the show" and admitted that their actions have caused a lot of discomforts, but it was their way to contribute to the security of the Poly Network.

Following the event, Poly Network said in a blog post that it would start a $500,000 bug bounty program to encourage researchers to find (and responsibly disclose) other vulnerabilities in its software. Currently, the company’s bug bounty listing on Immunefi says that the maximum bounty is $100,000.

Attack Flow

The hacker took advantage of EthCrossChainManager and EthCrossChainData. EthCrossChainManager governs the EthCrossChainData. The hacker gained access to EthCrossChainData and was able to move large volumes of funds to multiple wallets at the same time by replacing the Keeper’s key with their own. This gave him access to multiple wallets, including Ethereum, Binance, Neo, and Tether. All tokens were channeled into the attacker’s secret wallet. The hacker triggered the EthCrossChainManager to allow interchain transactions between the Poly Network and the Ethereum network.

The hacker used three chains to exploit and move funds — Ethereum, BSC, and Polygon. The attackers’ original funds were in monero, a privacy-centric cryptocurrency, and were then exchanged for BNB, ETH, MATIC and a few other tokens. 

The attackers then initiated the attacks on Ethereum, BSC and Polygon blockchains.

Attacker Address 1: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 (ETH)

Attacker address 2: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71 (BSC)

Attacker address 3: 0x5dc3603C9D42Ff184153a8a9094a73d461663214 (POLYGON)

ETHEREUM

Ten types of tokens — worth nearly $272 million — on the Ethereum blockchain have been stolen and the details of the tokens stolen are mentioned below.

Screenshot 2022-12-03 at 10.19.48 AM

Screenshot 2022-12-03 at 10.20.03 AM

Screenshot 2022-12-03 at 10.23.52 AM

The hacker made 3 unsuccessful transactions to provide liquidity to the curve.fi DAI/USDC/USDT pool. On the 4th try, they were successful in adding liquidity to the pool, depositing DAI and USDC stolen in the second and fourth transactions in the table below:

Screenshot 2022-12-03 at 10.25.23 AM

BINANCE SMART CHAIN

The attacker exploited the BSC blockchain in a similar way to the Ethereum blockchain. They transferred funds worth $250 million USD to BSC.

Screenshot 2022-12-03 at 10.26.37 AM

Screenshot 2022-12-03 at 10.31.13 AM

$119 million has been moved from the BSC address to provide liquidity to the Ellipsis Finance BUSD/USDC/USDT 3EPS pool through the following transactions:

Screenshot 2022-12-03 at 10.33.08 AM

POLYGON

The hacker 0x5dc3603C9D42Ff184153a8a9094a73d461663214 successfully transferred 85,089,719 USDC from the Polygon blockchain.

Screenshot 2022-12-03 at 10.34.49 AM

Conclusion

Despite occurring in 2021, the Poly Network hack remains a unique case. We are seeing an increase of white hats hacking and the returning of funds to make a statement on the security breaches of certain platforms. The best actions you can take is to ensure any platform you trust with your money or digital assets is for them to be upfront about how it guards users against theft. Also it is important to do your own due diligence to protect your accounts with secure passwords, frequent updates, monitoring and #DYOR.