Cross-Chain DeFi Site Poly Network Hacked; Hundreds of Millions Potentially Lost

DeFi platform Poly Network was attacked on Tuesday, with the alleged hacker draining roughly $600 million in crypto.

Aug 10, 2021 at 1:56 p.m. UTC
Updated Sep 14, 2021 at 1:37 p.m. UTC

Cross-chain decentralized finance (DeFi) platform Poly Network was attacked on Tuesday, with the alleged hacker draining roughly $600 million in crypto.

Poly Network, a protocol launched by the founder of Chinese blockchain project Neo, operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tuesday's attack struck each chain consecutively, with the Poly team identifying three addresses where stolen assets were transferred.

At the time that Poly tweeted news of the attack, the three addresses collectively held more than $600 million in different cryptocurrencies, including USDC, wrapped bitcoin, wrapped ether and shiba inu (SHIB), blockchain scanning platforms show.

"We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses," the Poly team tweeted.

The $600 million figure would place the Poly Network hack among the largest in crypto history.

Tether froze approximately $33 million in relation to the hack, Tether CTO Paolo Ardoino tweeted.

About one hour after Poly announced the hack on Twitter, the hacker tried to move assets including USDT through the Ethereum address into liquidity pool Curve.fi, records show. The transaction was rejected.

Meanwhile, close to $100 million has been moved out of the Binance Smart Chain address in the past 30 minutes and deposited into liquidity pool Ellipsis Finance.

The Poly team could not be reached for comment at the time of publication.

Poly Network was the second Chinese interoperability protocol to be featured on the government-backed Blockchain-based Service Network.

Anatomy of an exploit

BlockSec, a China-based blockchain security firm, said in an initial attack analysis report that the hack may be triggered by the leak of a private key that was used to sign the cross-chain message.

But it also added that another possible reason is a potential bug during Poly's signing process that may have been "abused" to sign the message.

According to another China-based blockchain security firm, Slowmist, the attackers’ original funds were in monero, a privacy-centric cryptocurrency, and were then exchanged for BNB, ETH, MATIC and a few other tokens. 

The attackers then initiated the attacks on Ethereum, BSC and Polygon blockchains. The finding was supported by Slowmist’s partners, including China-based exchange Hoo.

“Based on the flows of the funds and multiple fingerprint information, it is likely a long-planned, organized, and well-prepared attack,” Slowmist wrote.

In a response to the attack, a spokesperson from Binance Smart Chain told CoinDesk that as a “decentralized” blockchain, protocols and users on BSC need to take security measures “extremely seriously.”

“We are aware of the Poly exploit that has affected Ethereum, Polygon and BSC users,” the spokesperson said. “Recently, several trustless bridges have become victims of such critical attacks and we recommend security audits and necessary due diligence prior to interacting with any projects.”

The spokesperson said BSC is currently working with its security partners to provide as much support as possible to the ongoing investigation.

The Poly Network incident shows how nascent cross-chain protocols are particularly vulnerable to attacks. In July, cross-chain liquidity protocol Thorchain suffered two exploits in two weeks. Rari Capital, another cross-chain DeFi protocol, was hit by an attack in May, losing funds worth nearly $11 million in ETH.

“As evidenced by all the exploits we’ve seen, cross-chain is a very hard area … with the added complexity of connections with every other chain and all their idiosyncrasies,” Ryan Watkins, a research analyst at blockchain data firm Messari, said.

UPDATE (Aug. 10, 14:30 UTC): Adds information about the wallet addresses and Tether's move.

UPDATE (Aug. 10, 14:54 UTC): Adds information about funds moving out of the Binance Smart Chain address.

UPDATE (Aug. 10, 17:36 UTC): Adds comments from Slowmist and Messari.

UPDATE (Aug. 10, 18:02 UTC): Adds analysis by BlockSec on the possible causes of the hack.

DISCLOSURE

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.