Over $ 600 million in cryptocurrency has been stolen from the Poly Network platform. The theft, remarkable for its magnitude, is perhaps not one: the hacker returned part of the money.
On August 10, 2021, news broke that a hacker stole more than $ 600 million in cryptocurrency from Poly Network users. The very large sum and the communication of Poly Network instantly make people talk, and the story quickly finds itself at the heart of many discussions.
It is indeed the managers of Poly Network who announced the hack on their Twitter account. ” We are sorry to announce that Poly Network has been attacked on Binance, Ethereum and Poplygon blockchains. The stolen assets were transferred to the hacker’s wallets at [trois adresses différentes] Poly Network officials announced on Twitter on August 10, hours after the theft.
We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @ 0xPolygon Assets had been transferred to hacker’s following addresses:
– Poly Network (@ PolyNetwork2) August 10, 2021
No one knows how the hacker did it, or how long he worked on the hack. We do not know if he – or she – is alone, or if it is a group of hackers. For a while there are rumors of corruption and sabotage, and on social media, everyone is theorizing. But, in the end, the ” biggest hack in cryptocurrency history May not be.
What is Poly Network?
Poly Network is an interoperability protocol between blockchains, specialized in the decentralized finance sector. Interoperability protocols are relatively new processes, developed to facilitate the exchange of information between blockchains. Indeed, the blockchains are all independent of each other. Normally, blockchains cannot communicate with each other, which can make certain operations more difficult to perform. In the case of decentralized finance applications, the problem arises all the more since many blockchains exist in this sector, and they all offer certain special features.
Poly Network allowed users of one blockchain to trade their tokens for those of another blockchain – much like a stockbroker would. ” We are setting up an interoperability system between several blockchains in order to build the Internet infrastructure of tomorrow », Explains Poly Network on its site. ” Authorized blockchains can connect to Poly Network and communicate with other blockchains, such as Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, and Binance Smart Chain “.
What happened ?
Poly Network alerted its users to the theft on August 10 in the early afternoon, and immediately advised them to blacklist the addresses of the hacker responsible for the theft. At the time of Poly Network’s announcement, the company had spotted that the hacker had stolen $ 273 million in token from the Ethereum blockchain, $ 253 million in token from the Binance Smart Chain blockchain, and $ 85 million in USDC on the Polygon blockchain, totaling $ 611 million stolen.
During the day of August 11, experts and cybersecurity firms exchanged opinions on social networks, and many theories circulated. The Chinese firm specializing in the cybersecurity of BlockSec blockchains estimated in a first report that ” the hacker could have the right key to identify himself, which would indicate that the keys would have been leaked », And the hacker Mudit Gupta has a sustained time on twitter, where he is very followed, that the Poly Network teams were incompetent, or that a person could have deliberately sabotaged the project, or even been corrupted (he since deleted his posts and posted another scan).
For now, a theory, developed separately by the specialist firm Slowmist and by an Ethereum developer, seems to generate a certain consensus. It would be a flaw in a function of a smart contract, which would make it possible to change the identity of its keeper (its owner), and which would thus have made it possible to divert the money to the addresses of the hacker. ” According to our observations, it is most likely a planned operation, organized and prepared upstream. Slowmist explained. According to this theory, the hacker would have used this particular function in order to have access to another function, which would have allowed him to have access to blockchains. ” We believe that in this case there was no data breach. », Conclude the Slowmist teams. Kelvin Fichter, an Ethereum developer seems to be arriving to the same conclusion than the Slowmist firm.
“We should talk”
Poly Network teams have since confirmed that it was indeed a fault with the smart contracts, but did not give more details. ” After an initial investigation, we located the source of the vulnerability. The hacker exploited a loophole between two contracts, and not a key as has been said “.
But the teams didn’t just talk about the hack on Twitter: they spoke directly to the hacker. In a message published just hours after announcing the theft, the teams asked the hacker to ” return the stolen assets “. ” The amount of money you stole is the largest ever stolen in the history of decentralized finance. Such an act is considered a major economic crime in all countries, and you will be prosecuted. It would be unwise to try to make transfers. The money you stole comes from tens of thousands of people in the crypto community, and therefore the people. We should talk to find a solution together. “
– Poly Network (@ PolyNetwork2) August 10, 2021
The post was widely mocked and criticized on Twitter. But yet, against all odds, the hacker responded.
” For fun 🙂 “
The hacker responded to the Poly Network teams in a very particular way: by sending himself an Ethereum transaction, and by entering a message. Its Ethereum address having been made public, many observers were able to see the message – including members of Poly Network. The hacker has since created a site dedicated to his exchanges with them.
In one of the very first messages to Poly Network, the hacker seems to taunt them. ” I could have done a billion hack if I had moved the shitcoins (cryptocurrencies having little value, note)! Did I just save the project? Not too interested in the money, maybe I’ll return some tokens or leave them there “.
However, he seems to have changed his mind, despite his bravado. For a few hours, the hacker has initiated a whole series of money transfers. So far, $ 252 million in token on Binance’s blockchain has been returned, along with $ 85 million in token on Polygon, and 4.6 million in Ethereum. In total, more than $ 324 million were returned according to Poly Network.
The hacker also chose to share his moods on the site. In a “Q&A” in four parts, the person explains having done the hack ” for fun 🙂 “, And having chosen Poly Network in particular because the” interoperability protocols are hot “.
In sometimes a little broken English, the hacker also explained his motivation for the transfer. ” Why did you transfer the tokens? To keep them safe . He would have spotted the bug by chance, and wouldn’t immediately have known what to do. ” I wondered what someone would do when they found that such a great fortune was at hand. Was asking the Poly Network teams going to work? Anyone could be a traitor to a billion. I couldn’t trust anyone “, He justifies.
He also went back on his way. ” I had planned to do an attack on four blockchains: ETH, BSC, Polygon and HECO. It didn’t work for the HECO blockchain, […]. I should have quit then, but decided to continue. I said to myself ‘could they patch the bug without notifying anyone?’ But I didn’t want to create panic in the crypto world, so I chose not to target shitcoins, and not to sell them. “.
The hacker, who presents himself as a white hat, nevertheless admitted that he had had a somewhat selfish motive. ” I wanted to do something cool with this huge amount. Then I thought the coolest hack I could do was be a moral leader “. It remains to be seen whether the entire amount stolen will be returned.