Poly Network DeFi protocol hacked for $5 million
The project’s team has suspended services

03.07.2023 - 08:30
336
5 min
0
What’s new? On July 2, the Poly Network DeFi protocol was hacked, causing hackers to issue various billions of dollars worth of crypto assets across 10 networks. According to researchers, they were able to manipulate a smart contract feature on the cross-chain bridge protocol. The incident affected 57 cryptocurrencies on blockchains such as Ethereum, BNB Chain, Polygon, Avalanche, and Heco. The project’s team suspended services due to the exploit. It did not specify the value of the stolen coins, with cybersecurity company PeckShield dubbing the amount at $5 million.
#PeckShieldAlert @PolyNetwork2 exploiter has transferred more than $5M worth of cryptos out on #Ethereum, #BNBChain, and #Polygon, especially 1.5K $ETH ($2.88M) to 0x23f4...c671, 440 $ETH ($844K) to 0xc8Ab...C42F, and 300 $ETH (~$575K) to 0xfD3E...b778https://t.co/EbYdTo3xIg… pic.twitter.com/I5Lg9UJ0eU— PeckShieldAlert (@PeckShieldAlert) July 2, 2023
What else is known? Poly Network has reached out to centralized exchanges (CEXs) and law enforcement agencies for help with the investigation and has recommended that developers and token holders withdraw liquidity and unlock their assets. The company hopes the hackers will return the funds to avoid legal problems.
Dear users, we would like to inform you that Poly Network is temporarily suspending its services due to a recent attack. We are actively engaging with relevant parties and diligently assessing the extent of the affected assets. 【1/3】— Poly Network (@PolyNetwork2) July 2, 2023
According to a researcher under the nickname Arhat, the exploit was the result of a smart contract vulnerability that allowed hackers to create “a malicious parameter containing a fake validator signature and block header.” This is how they bypassed the validation process and issued tokens from Poly Network’s Ethereum pool to their own address on Metis, BNB Chain, and Polygon networks. The process was repeated for other blockchains, allowing a large number of tokens to accumulate.
At one point, the hackers had about $42 billion worth of tokens in their wallet. However, they were only able to convert and steal a small portion worth $400 000. He noted that most of the coins had no liquidity.
PolyNetwork's Cross-Chain Exploit of $34B.The hack happened because of a smart contract vulnerability in @PolyNetwork2's cross-chain bridge tool.Here's how it might have happened (Refer to the image below):-- The hacker crafted a malicious parameter containing a fake… pic.twitter.com/5Yf10zHy6j— Arhat (@0xArhat) July 2, 2023
Representatives of blockchain security solutions provider Dedaub pointed out weaknesses in the protocol’s multisig, saying that a simple “3 in 4” scheme had been used for two years. In addition, private keys to addresses were compromised.
Dedaub explained that the attack was not complex because no logical bugs were used. Experts added that the Poly Network team responded slowly, spending seven hours, which cost the platform $5,5 million in stolen cryptocurrency. That said, the lack of liquidity in many of the tokens prevented further losses.
Getting to the bottom of the "34 billion" Poly network hack with a technical postmortem.TL ; DRPoly network had a simple 3 of 4 multisig arrangement over 2 years!Looking at the final event we found that the private keys to the addresses marked were compromised. pic.twitter.com/Y0eMJXcYso— Dedaub (@dedaub) July 2, 2023
After the Poly Network hack, Binance CEO Changpeng Zhao reassured customers, saying that the exploit does not affect exchange users because it does “not support deposits from this network.”
This does not affect @Binance users. We do not support deposits from this network. Our security team is assisting them in its investigations though. Stay #SAFU. https://t.co/0EsD5Ux6vW— CZ 🔶 Binance (@cz_binance) July 2, 2023
Poly Network had already been attacked in August 2021. At that time, hackers affiliated with the Lazarus Group of North Korea stole more than $600 million.
Useful material?
Incidents
We talk about how the events with the collapsed cryptocurrency developed and how the head of Argentina contributed to it
Feb 17, 2025
Market
Once the SEC confirms, the filing will be published in the Federal Register, which will initiate the approval process
Feb 11, 2025
Market
Analysts at JPMorgan Bank believe the asset will continue to face pressure amid growing competition
Feb 6, 2025
Market
The hacker used the account to promote MEOW and DCOIN scam tokens
Feb 6, 2025
Market
The company’s operating expenses rose 693% year-over-year to $1,103 billion
Feb 6, 2025
Crypto regulations
Group head Hester Peirce criticized the regulatory approach formed by former chairman Gary Gensler
Feb 5, 2025