The Poly Network has fallen victim to another exploit after hackers manipulated a smart contract function on the cross-chain bridge protocol.
Poly Network confirmed the hack, adding that it would be temporarily suspending all services.
57 Crypto Assets Impacted
The attack on Poly Network occurred on the 2nd of July, resulting in the hacker being able to issue billions of tokens seemingly out of thin air to generate a profit. Poly Network confirmed the attack through its official Twitter handle, stating that it had become the latest DeFi entity to fall victim to a hack, adding that it was temporarily suspending services. The update also stated that the exploit had impacted 57 crypto assets based on ten blockchains, including BNB Chain, Ethereum, Avalanche, Polygon, OKx, Heco, and others.
While it isn’t clear how much has been stolen in the attack, PeckShield has reported that the attacker had transferred at least $5 million worth of crypto from the cross-chain bridge. In an update issued on the 3rd of July, the Poly Network team stated,
“We have already initiated communication with centralized exchanges and law enforcement agencies and sought their assistance.”
The team further advised token holders to withdraw liquidity and unlock their liquidity provider tokens.
Poly Network Hack Breakdown
According to DeFi security analyst @0xArhat, the exploit stemmed from a smart contract vulnerability that allowed the hackers to create a malicious parameter that contained a fake validator signature and block header. The smart contract accepted this malicious parameter, allowing the hacker to bypass the verification process and issue tokens from Poly Network’s Ethereum pool to their address on other chains such as BNB Chain, Polygon, and Metis. The same procedure was repeated for other chains, resulting in a massive pile-up of tokens.
According to @0xArhat, the hacker’s wallet held over $42 billion worth of tokens at one point. However, the hacker could only convert and steal a fraction of the tokens. The attackers had minted 24 billion Binance USD (BUSD) and BNB on the Metis blockchain, 999 trillion Shiba Inu (SHIB) on the Heco blockchain, and millions of other tokens on other prominent networks such as Polygon and Avalanche.
“This way, the hacker was able to mint billions of tokens on various blockchains that did not exist before and transfer them to their own wallet addresses.”
Dedaub has dubbed the latest hack to hit Poly Network as the “34 billion Poly Network hack.” He also highlighted several weaknesses in the protocol’s multi-sig, adding that it only had a simple 3 of 4 multi-signature arrangement for over two years.
“Getting to the bottom of the “34 billion” Poly network hack with a technical postmortem. TL;DR Poly network had a simple 3 of 4 multisig arrangement over 2 years! Looking at the final event, we found that the private keys to the addresses marked were compromised.”
According to the blockchain security solutions provider, the attack was not complex, as no logic bugs were exploited. Poly Network itself was slow to respond, eventually costing the platform $5.5 million in stolen crypto. However, a lack of liquidity in a majority of the tokens in question prevented further significant losses.
Binance, Polygon Reassure Users
Following the attack on the Poly Network, Binance CEO Changpeng Zhao stated that the exploit does not impact Binance users, adding that it did not support deposits from the Poly Network. Polygon’s Mudit Gupta stated on Twitter,
“Poly Network got rekt again, allegedly because of compromised hot keys. It’s going to keep happening until our industry changes our approach to security. Smart contract audits only scratch the surface. Ps Poly network has NOTHING to do with Polygon.”
Poly Network’s Previous Hack
This was the second time a major hack hit the Poly Network. In August 2021, the protocol was hit by attackers who managed to drain a then-record $600 million through the alleged leak of a private key that was used to sign a cross-chain message. As a result, the Poly Network lost $264 million in ETH, $250 million in BSC, and $85 million in MATIC. However, Poly Network later updated that the hacker had returned the stolen funds, with the hacker claiming the attack was orchestrated for fun, and even offered the anonymous hacker a job as the Chief Security Advisor to the protocol, adding that it won’t be pressing any charges.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.