The project’s team has suspended services

Poly Network DeFi protocol hacked for $5 million

03.07.2023 - 08:30


5 min

What’s new? On July 2, the Poly Network DeFi protocol was hacked, causing hackers to issue various billions of dollars worth of crypto assets across 10 networks. According to researchers, they were able to manipulate a smart contract feature on the cross-chain bridge protocol. The incident affected 57 cryptocurrencies on blockchains such as Ethereum, BNB Chain, Polygon, Avalanche, and Heco. The project’s team suspended services due to the exploit. It did not specify the value of the stolen coins, with cybersecurity company PeckShield dubbing the amount at $5 million.

What else is known? Poly Network has reached out to centralized exchanges (CEXs) and law enforcement agencies for help with the investigation and has recommended that developers and token holders withdraw liquidity and unlock their assets. The company hopes the hackers will return the funds to avoid legal problems.

According to a researcher under the nickname Arhat, the exploit was the result of a smart contract vulnerability that allowed hackers to create “a malicious parameter containing a fake validator signature and block header.” This is how they bypassed the validation process and issued tokens from Poly Network’s Ethereum pool to their own address on Metis, BNB Chain, and Polygon networks. The process was repeated for other blockchains, allowing a large number of tokens to accumulate.

At one point, the hackers had about $42 billion worth of tokens in their wallet. However, they were only able to convert and steal a small portion worth $400 000. He noted that most of the coins had no liquidity.

Representatives of blockchain security solutions provider Dedaub pointed out weaknesses in the protocol’s multisig, saying that a simple “3 in 4” scheme had been used for two years. In addition, private keys to addresses were compromised.

Dedaub explained that the attack was not complex because no logical bugs were used. Experts added that the Poly Network team responded slowly, spending seven hours, which cost the platform $5,5 million in stolen cryptocurrency. That said, the lack of liquidity in many of the tokens prevented further losses.

After the Poly Network hack, Binance CEO Changpeng Zhao reassured customers, saying that the exploit does not affect exchange users because it does “not support deposits from this network.”

Poly Network had already been attacked in August 2021. At that time, hackers affiliated with the Lazarus Group of North Korea stole more than $600 million.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy