In what is the largest theft in the history of decentralised finance so far, on Tuesday, August 10, 2021, $610 million was stolen by hackers from DeFi token swapping platform Poly Network. DeFi is a space in the Crypto industry that is growing at a very fast pace with the aim to create traditional financial products and services like trading, borrowing and loans using blockchain technology.
Ever since the DeFi ecosystem has grown into an industry where billions of dollars are invested and transacted, it has become increasingly susceptible to new hacks and scams with the latest being that of Poly Network. When it comes to hacks, 2021 has been a particularly bad year for the DeFi industry.
Right before the Poly Network exploit happened, CipherTrace had published a report that found that in 2021 alone, DeFi-related hacks were up by 270%. $432 million had already been lost in the industry to hacks since the publication of the report, with that number more than doubled in a matter of hours after Poly Network’s hack happened.
What is Poly Network?
Although a not-too-known name in the industry, Poly Network is a DeFi platform that organizes peer-to-peer transactions and allows users of different blockchains to transfer or swap tokens across these blockchains. Founded and launched in August 2020 as a collaboration between Neo (a blockchain platform), Switcheo (a Crypto trading platform) and blockchain company Ontology, Poly Network was built with the aim of making cross-chain interoperability easier and, interestingly, it has achieved that. For example, a user could use Poly Network to transfer tokens like Ethereum from the Binance Smart Chain to the Ethereum blockchain.
How Poly Network was hacked
Because Poly Network operates in the Binance Smart Chain, Polygon and Ethereum blockchain, tokens are swapped between these blockchains through the use of Smart Contracts. These Smart Contracts carry instructions on when the assets contained in them can be released to the counterparts in the transaction.
According to crypto intelligence firm CipherTrace, it is one of these smart contracts that Poly Network uses for the transfer of tokens between blockchains that maintains a large amount of liquidity to allow the efficient swapping of tokens by users.
In a tweet by Poly Network on Tuesday, a preliminary investigation found that the hackers exploited a vulnerability in the Smart Contract containing this liquidity. The hackers overrode the instructions set in the contracts for each of the three blockchains and this gave them the power to divert the funds in these contracts to three wallet addresses. This is according to Kelvin Fichter, an Ethereum programmer.
Fichter’s claim was proven correct as Poly Network later traced these wallet addresses and published them. According to blockchain forensics company Chainalysis, funds in more than 12 variations of cryptocurrencies were stolen by hackers. Someone claiming to have perpetrated the hack using digital messages posted on the Ethereum network and published by Chainalysis said they spotted a “bug” and they wanted to “expose the vulnerability” before others could exploit it.
Excerpts of a letter written to the attacker and posted to Twitter by Poly Network read, “The amount of money you hacked is the biggest one in the DeFi history,” continuing, Poly Network said, “The money you stole is from tens of thousands of Crypto community members… you should talk to us to work out a solution.”
Poly Network urged members of the crypto ecosystem to blacklist the assets that come from the addresses used by the hacker to siphon funds –that included a pool of different coins including about $33 million in Tether, according to Tether’s CTO.
CEOs and founders of major cryptocurrency exchanges like Binance, Huobi and OKEx announcing that they will block any of the stolen funds that may pass through their platforms. Changpeng Zhao, the CEO of Binance, said Binance was aware of the attack. He said Binance is “coordinating with all our security partners to proactively help,” but that “there are no guarantees.”
Several addresses the hacker could return the money to were established by Poly Network, with the company saying on Twitter, “We will take legal actions and we urge the hackers to return the assets.”
On the part of the attacker, it appears there is cooperation. As of 7:47 a.m. ET on Wednesday, Poly Network received about $4.7 million back from the attacker who said he perpetrated the hack “for fun”. According to Chainalysis, by noon of that Wednesday, a lot more money, about $261 million, had been returned. As of 8:18 a.m. UTC, Poly Network tweeted that a total of $342 million had been returned with the remaining $268 million all on Ethereum and yet to be returned by the hacker who they are referring to as “Mr White Hat”. The hacker also released an AMA explaining why he pulled off an attack this big.
At the time of writing, there had been no further updates.
One of the features of Decentralized Finance is that it offers people and businesses access to financial services for free. There is the argument that blockchain technology will cut costs and boost economic activities. These are all true but so far, technical flaws and weaknesses in the codes of these projects are making them vulnerable to hacks. To have a more reduced number or even an entire stop to hacks in the industry, projects must pay more attention to the security system guiding their platforms.