On August 10th the world had seen one of the biggest cryptocurrency thefts in history- a hacker had stolen roughly $610 million worth of cryptocurrency( $273M Ethereum, $253M Binance Tokens, $85M USDC) from the PolyNetwork, which was built to implement interoperability between multiple blockchains and exchange one kind of bitcoin for another(e.g. Bitcoin for ethereum). I say had because the hacker decided to return the entire stolen amount, which belonged to tens of thousands of people, to PolyNetwork. Initially they started in small amounts and the subsequent transactions were made in huge amounts.
How The Hack Was Carried Out
Poly Network operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tokens are interchanged between the blockchains using a smart contract which contains instructions on when to release the assets to the counterparties.One of the smart contracts that Poly Network uses to transfer tokens between blockchains maintains large amounts of liquidity to allow users to efficiently swap tokens, according to crypto intelligence firm CipherTrace.Poly Network tweeted on Tuesday that a preliminary investigation found the hacker exploited a vulnerability in this smart contract.According to an analysis of the transactions tweeted by Kelvin Fichter, an Ethereum programmer, the hacker appeared to override the contract instructions for each of the three blockchains and diverted the funds to three wallet addresses, digital locations for storing tokens which were later traced and published by Poly Network.
Cryptocurrency security firm SlowMist broke down the entire process of the breach and the link here will give an in-depth explanation.
According to a Blockchain forensics company, funds in more than 12 cryptocurrencies have been stolen by the hacker. Coindesk, a news site specializing in bitcoin and digital currencies, reported that the hacker had initially tried to transfer some of the assets from one of the three wallets into liquidity pool Curve.fi, but that transfer was rejected. Coindesk also reported about $100 million was moved out of another of the wallets and deposited into liquidity pool Ellipsis Finance. A day after the hack, the hacker started to return the stolen funds to Polynetwork into a wallet which both Poly Net and the hacker had access to. Except $33M which was frozen by Tether, the rest of the funds were returned. Tether had said that they were still having talks with the hacker.
Why Were The Funds Stolen In The First Place?
It is believed that the hacker tried to pose as a White Hat(a person who hacks into a computer network in order to test or evaluate its security systems.) and that they would eventually have returned the funds back. Of those involved, one of them claimed that Poly Network had a bug in their system which they wanted to expose before anyone else had exploited it. While some people, such as
Gurvais Grigg, chief technology officer at Chainalysis and former FBI veteran, think that the claim about being a whitehat hacker is a sham and the hacker had to return the funds because it would prove a very difficult task to launder an amount as large as $600M while risking prosecution in the process.
However, The Claim seems to be true. The hacker had spoken to Poly Network through embedded messages and they have confirmed that the hack wasn’t an elaborately planned effort and that they had claimed to do the hack “for fun” because “cross-chain hacking is hot.” Poly Network has offered $500000 as bounty and a position as chief security advisor at Poly Network, although the hacker had rejected the bounty previously while Poly Network was undergoing negotiations.”The poly did offer a bounty, but I have never responded to them. Instead, I will send all of their money back,” said the hacker. Poly Network feels grateful for the hacker’s “contribution” to Poly Network’s security enhancements.
Hacks like this make us wonder how many more flaws there are to be found in the world of Cryptocurrency and whether we will be lucky enough for a few more of these White hat hackers to rectify these mistakes before a hacker with an ill motive takes their place.