Cross-Chain DeFi Site Poly Network Hacked; Hundreds of Millions Potentially Lost
DeFi platform Poly Network was attacked on Tuesday, with the alleged hacker draining roughly $600 million in crypto.
Cross-chain decentralized finance (DeFi) platform Poly Network was attacked on Tuesday, with the alleged hacker draining roughly $600 million in crypto.
Poly Network, a protocol launched by the founder of Chinese blockchain project Neo, operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tuesday's attack struck each chain consecutively, with the Poly team identifying three addresses where stolen assets were transferred.
At the time that Poly tweeted news of the attack, the three addresses collectively held more than $600 million in different cryptocurrencies, including USDC, wrapped bitcoin, wrapped ether and shiba inu (SHIB), blockchain scanning platforms show.
"We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses," the Poly team tweeted.
The $600 million figure would place the Poly Network hack among the largest in crypto history.
Tether froze approximately $33 million in relation to the hack, Tether CTO Paolo Ardoino tweeted.
About one hour after Poly announced the hack on Twitter, the hacker tried to move assets including USDT through the Ethereum address into liquidity pool Curve.fi, records show. The transaction was rejected.
Meanwhile, close to $100 million has been moved out of the Binance Smart Chain address in the past 30 minutes and deposited into liquidity pool Ellipsis Finance.
The Poly team could not be reached for comment at the time of publication.
Poly Network was the second Chinese interoperability protocol to be featured on the government-backed Blockchain-based Service Network.
Anatomy of an exploit
BlockSec, a China-based blockchain security firm, said in an initial attack analysis report that the hack may be triggered by the leak of a private key that was used to sign the cross-chain message.
But it also added that another possible reason is a potential bug during Poly's signing process that may have been "abused" to sign the message.
The attackers then initiated the attacks on Ethereum, BSC and Polygon blockchains. The finding was supported by Slowmist’s partners, including China-based exchange Hoo.
“Based on the flows of the funds and multiple fingerprint information, it is likely a long-planned, organized, and well-prepared attack,” Slowmist wrote.
In a response to the attack, a spokesperson from Binance Smart Chain told CoinDesk that as a “decentralized” blockchain, protocols and users on BSC need to take security measures “extremely seriously.”
“We are aware of the Poly exploit that has affected Ethereum, Polygon and BSC users,” the spokesperson said. “Recently, several trustless bridges have become victims of such critical attacks and we recommend security audits and necessary due diligence prior to interacting with any projects.”
The spokesperson said BSC is currently working with its security partners to provide as much support as possible to the ongoing investigation.
The Poly Network incident shows how nascent cross-chain protocols are particularly vulnerable to attacks. In July, cross-chain liquidity protocol Thorchain suffered two exploits in two weeks. Rari Capital, another cross-chain DeFi protocol, was hit by an attack in May, losing funds worth nearly $11 million in ETH.
“As evidenced by all the exploits we’ve seen, cross-chain is a very hard area … with the added complexity of connections with every other chain and all their idiosyncrasies,” Ryan Watkins, a research analyst at blockchain data firm Messari, said.
UPDATE (Aug. 10, 14:30 UTC): Adds information about the wallet addresses and Tether's move.
UPDATE (Aug. 10, 14:54 UTC): Adds information about funds moving out of the Binance Smart Chain address.
UPDATE (Aug. 10, 17:36 UTC): Adds comments from Slowmist and Messari.
UPDATE (Aug. 10, 18:02 UTC): Adds analysis by BlockSec on the possible causes of the hack.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.