At 6am ET on August 10, over half a billion dollars worth of crypto assets were stolen from Poly Network, a cross-chain protocol that facilitates token swaps across multiple blockchains including Ethereum, Binance Smart Chain and Polygon.
With the total drained at $600M, this is the biggest DeFi hack in history, dwarfing the $59M EasyFi exploit that held the unenviable record until now.
According to the project, the attacker was able to “exploit a vulnerability between contract calls” and steal $270M worth of Ethereum-based assets, $250M of assets on Binance Smart Chain, and nearly $85M USDC on Polygon.
However, security researcher Mudit Gupta isn’t buying it, tweeting that “There seems to be no issue between contract calls and hack *is* caused by a single keeper being compromised.”
Auditing firm Pecksheld has released an analysis of the exploit.
Users Affected; $33M Frozen
According to this tweet from crypto investor Boxmining, many Chinese investors and funds have been affected by the hack, as Poly Network was used by the NEO and Ontology blockchains to bridge assets from Ethereum. The bridge works by locking assets on the Ethereum side and minting equivalent assets on the target blockchain. Since the assets on the Ethereum side of the bridge are no longer there, the bridged tokens are essentially worthless.
As the attacker was in the process of depositing their ill-gotten gains into DeFi protocol Curve Finance, the Poly team appealed to all exchanges and stablecoin issuers to try and block or blacklist the attacker’s transactions.
Tether, the issuer of the USDT stablecoin, acted swiftly to blacklist the attacker’s address and freeze $33M in USDT. The attacker tried unsuccessfully to deposit the USDT into Curve just two minutes later. Had the deposit gone through, it’s likely that the funds would have been unrecoverable once commingled with other user deposits in Curve’s liquidity pools.
The Poly Network team has since published this letter to the hacker.
SlowMist, a blockchain security firm, claims to have obtained personal identifying information about the attacker that could aid in the recovery of the stolen crypto assets.
Perhaps in response, the attacker recently sent a transaction that included this message:
This is a similar message to one left by the recent Thorchain exploiter(s), who also claimed that they could have drained more assets than they did.
Given the scale of the heist, we can only hope that the attacker does have a white hat moment. For the moment however, they seem content with trolling their hapless victims.