How Did the PolyNetwork Hacker Steal $600 Million? Security Experts Point Fingers

Aug 10, 2021 | Decrypt News | 0 comments


Over seven hours after it was first reported, details about an exploit that nabbed $600 million in digital assets from PolyNetwork have been slow to emerge. In the absence of a comprehensive audit, cybersecurity groups have uttered a common refrain to the programmers behind the cross-chain compatibility network: This is on you.

Funds linked to the attack have been traced to three separate addresses—one each on Ethereum, Binance Smart Chain, and Polygon.

As to the chain of events that got the misbegotten funds there, security experts have differing opinions—with some going as far as accusing their colleagues of misleading the public.

According to an initial analysis by China-based security auditor BlockSec, which it cautioned it had not yet verified, the theft could be the result of “either the leakage of the private key that is used to sign the cross-chain message” or “a bug in the signing process of the PolyNetwork that has been abused to sign a crafted message.”

Other researchers also insinuated poor security practices may have led to the theft of private keys used by the PolyNetwork team to authorize transactions.

Ethereum developer and security researcher Mudit Gupta wrote that PolyNetwork uses a multisig wallet for transactions. In its configuration, four people have access to the key for signing transactions, and three must sign: “The attacker got hold of at least 3 keepers and then used them to change the keepers to a single keeper.” In effect, the hacker locked them out. (Gupta initially thought Poly used a 1/1 multisig.)

Blockchain security team SlowMist says that’s not exactly what happened. Instead, it says, the attacker took advantage of a flaw in a smart contract function to change its keeper, rerouting the flow of funds to the attacker’s own address. “It is not the case that this event occurred due to the leakage of the keeper’s private key,” it reported.

PolyNetwork retweeted the blog post, while Gupta strongly disagreed with SlowMist, suggesting either gross impotence or corruption.

Regardless of whether the attacker obtained private keys or exploited a weak smart contract, one way to do either of those things is by being in charge. But was it an inside job? After all, according to blockchain analytics firm CipherTrace, so-called rug pulls, a type of exit scam, were the most popular form of crypto fraud last year. 

It’s too soon to tell. SlowMist says it “has grasped the attacker’s mailbox, IP, and device fingerprints through on-chain and off-chain tracking, and is tracking possible identity clues related to the Poly Network attacker.” But its investigation hasn’t yet led to an executive at Poly holding a smoking gun. (Or, if it has, SlowMist is not yet saying.)

In the meantime, it’s unclear whether the attacker will be able to use the funds. PolyNetwork has also asked “miners of affected blockchain and crypto exchanges to blacklist tokens” from the exploiter’s addresses. In response, Tether said it froze $33 million in USDT connected to the attack, while executives at Binance, OKEx, and Huobi pledged to help limit the damage.

The hacker, however, has taken to issuing taunts from the Ethereum blockchain, by appending messages to blocks. “WHAT IF I MAKE A NEW TOKEN AND LET THE DAO DECIDE WHERE THE TOKENS GO,” they wrote in one message.

Perhaps, but maybe someone else should write the smart contracts for that.

News Source from

Related Articles

Institutional investors bought the dip as China FUD broke

Institutional investors bought the dip as China FUD broke

While institutional Bitcoin products have experienced outflows for 13 of the past 17 weeks, the sector has now seen three straight weeks of inflows. Institutional investors were buying the dip on the back of China’s latest FUD, with digital asset investment products...

SEC levies charges against alleged ‘meme stock’ wash traders

SEC levies charges against alleged ‘meme stock’ wash traders

The Securities and Exchange Commission (SEC) has charged two men with allegedly wash trading meme stocks to take advantage of rebate programs. At the start of 2021, certain unlikely stocks went gangbusters when online communities identified that Wall Street...

Snoop Dogg Buys XCOPY Ethereum NFT for $3.9 Million

Snoop Dogg Buys XCOPY Ethereum NFT for $3.9 Million

Since revealing himself as a notable pseudonymous NFT collector last week, rapper and entertainer Snoop Dogg hasn’t slowed down on high-value collecting. Just tonight, in fact, he spent nearly $4 million in ETH to acquire a single piece from the artist XCOPY. Using...

Pin It on Pinterest

Share This