Poly Network DeFi protocol hacked for $5 million

What’s new? On July 2, the Poly Network DeFi protocol was hacked, causing hackers to issue various billions of dollars worth of crypto assets across 10 networks. According to researchers, they were able to manipulate a smart contract feature on the cross-chain bridge protocol. The incident affected 57 cryptocurrencies on blockchains such as Ethereum, BNB Chain, Polygon, Avalanche, and Heco. The project’s team suspended services due to the exploit. It did not specify the value of the stolen coins, with cybersecurity company PeckShield dubbing the amount at $5 million.

#PeckShieldAlert @PolyNetwork2 exploiter has transferred more than $5M worth of cryptos out on #Ethereum, #BNBChain, and #Polygon, especially 1.5K $ETH ($2.88M) to 0x23f4...c671, 440 $ETH ($844K) to 0xc8Ab...C42F, and 300 $ETH (~$575K) to 0xfD3E...b778https://t.co/EbYdTo3xIg… pic.twitter.com/I5Lg9UJ0eU— PeckShieldAlert (@PeckShieldAlert) July 2, 2023

What else is known? Poly Network has reached out to centralized exchanges (CEXs) and law enforcement agencies for help with the investigation and has recommended that developers and token holders withdraw liquidity and unlock their assets. The company hopes the hackers will return the funds to avoid legal problems.

Dear users, we would like to inform you that Poly Network is temporarily suspending its services due to a recent attack. We are actively engaging with relevant parties and diligently assessing the extent of the affected assets. 【1/3】— Poly Network (@PolyNetwork2) July 2, 2023

According to a researcher under the nickname Arhat, the exploit was the result of a smart contract vulnerability that allowed hackers to create “a malicious parameter containing a fake validator signature and block header.” This is how they bypassed the validation process and issued tokens from Poly Network’s Ethereum pool to their own address on Metis, BNB Chain, and Polygon networks. The process was repeated for other blockchains, allowing a large number of tokens to accumulate.

At one point, the hackers had about $42 billion worth of tokens in their wallet. However, they were only able to convert and steal a small portion worth $400 000. He noted that most of the coins had no liquidity.

PolyNetwork's Cross-Chain Exploit of $34B.The hack happened because of a smart contract vulnerability in @PolyNetwork2's cross-chain bridge tool.Here's how it might have happened (Refer to the image below):-- The hacker crafted a malicious parameter containing a fake… pic.twitter.com/5Yf10zHy6j— Arhat (@0xArhat) July 2, 2023

Representatives of blockchain security solutions provider Dedaub pointed out weaknesses in the protocol’s multisig, saying that a simple “3 in 4” scheme had been used for two years. In addition, private keys to addresses were compromised.

Dedaub explained that the attack was not complex because no logical bugs were used. Experts added that the Poly Network team responded slowly, spending seven hours, which cost the platform $5,5 million in stolen cryptocurrency. That said, the lack of liquidity in many of the tokens prevented further losses.

Getting to the bottom of the "34 billion" Poly network hack with a technical postmortem.TL ; DRPoly network had a simple 3 of 4 multisig arrangement over 2 years!Looking at the final event we found that the private keys to the addresses marked were compromised. pic.twitter.com/Y0eMJXcYso— Dedaub (@dedaub) July 2, 2023

After the Poly Network hack, Binance CEO Changpeng Zhao reassured customers, saying that the exploit does not affect exchange users because it does “not support deposits from this network.”

This does not affect @Binance users. We do not support deposits from this network. Our security team is assisting them in its investigations though. Stay #SAFU. https://t.co/0EsD5Ux6vW— CZ 🔶 Binance (@cz_binance) July 2, 2023

Poly Network had already been attacked in August 2021. At that time, hackers affiliated with the Lazarus Group of North Korea stole more than $600 million.