The likely perpetrator of one the largest crypto heists did it for “fun.” On Tuesday, an anonymous hacker or group stole some $600 million worth of crypto from Poly Network, apparently to teach the multi-chain platform a lesson (that’s what they said in a Q&A about their motivations and plans).
They identified a bug – or rather, a part of the code that enabled them to transfer money to themselves – and acted on it. The developers didn’t intend to put in a “free money” button, but it was there ready to be exploited. And praise be it was: It’s one more mistake that (hopefully) won’t be repeated.
"I am not very interested in money! I know it hurts when people are attacked, but shouldn't they learn something from those attacks?" the exploiter posted Wednesday in Ethereum blockchain data. At press time, approximately half of the stolen funds have been returned.
It’s not really my place to say whether they’re genuinely a “white hat” hacker or a black hat that realized it would be impossible to cash out. For what it’s worth, Tor Ekeland, an attorney who built a career out of defending computer miscreants, said: “Hacking is often more about the thrill of the hack than any object obtained in the hack.”
Hacks and exploits are not uncommon in the growing, multi-billion dollar decentralized finance (DeFi) ecosystem, of which Poly Network was a part. Often the result of hastily designed scripts or deeper flaws in at the protocol level, attacks are also an important part of how any computer network grows more secure. That’s doubly true in the world of blockchain.
In fact, some would say hacks lead to unhackable code. It’s a controversial point, especially because hackers don’t always return the stolen funds, and undoubtedly people are harmed in the process.
“In the world of blockchain, when somebody deploys a smart contract – like on Ethereum – that has a vulnerability, hundreds of millions of dollars disappear overnight and there’s no recourse,” legendary former Google computer scientist and founder of Agoric, Mark Miller, said at a Foresight Institute conference in 2018. “There are these huge bug bounties, effectively. And when one of these things gets collected, the software with these vulnerabilities dies.”
In other words, blockchain-based systems face evolutionary pressure. Weak projects face “an early death” so the entire system becomes populated by secure code.
Blockchain technology has only been around for a little over a decade. DeFi, as we know it, is even younger. There’s a case to be made we’re just at the beginning stages of adoption, with many more mistakes likely along the way.
Hacks aren’t the only way for projects or protocols to evolve. People can build simple things slowly, as in the case of Bitcoin, which has only ever been down twice over its 12-year lifespan. There are external audits and a potential role for policy-makers or government regulators to play.
But searching for flaws in a codebase or finding exploiters after the fact is like “hunting the wolves,” Zooko Wilcox-O'Hearn, computer security specialist and brainchild behind Zcash, said in a direct message, borrowing a line from Vitalik Buterin.
He should know. In 2015, his auditing company, Least Authority, was hired by a group of devs to do a security audit of the soon-to-be-launched Ethereum network. Many of the vulnerabilities they found were fixed, but not the one having to do with “reentrancy,” which enabled people to deploy smart contracts that could be exploited.
Just years later that same vulnerability was exploited in “The DAO hack,” a $55 million headache that led to the contentious fork between Ethereum and Ethereum Classic. At the time it filed its report, Least Authority even provided a hypothetical example of a smart contract that could be exploited: a crowd-funding smart contract, like The DAO.
As more money piles into smart contracts, it’s going to become harder and harder to “hunt the wolves” or individual exploiters. With hacks entire communities learn together what should and should not be repeated. Over time this leads to more “reliable” code. It’s one way to “armor the sheep.”
“If we as humans are going to rely on computers to do important things for us — and we are! — then we really require those programs to be unhackable. And despite the cynicism and despair among my fellow security experts, it is actually achievable!” Wilcox said.
“For every program like The DAO and Poly that got exploited because it had a vulnerability, you can point to another program that did the same thing but did not have that vulnerability. So progress is possible!”
UPDATE (Aug. 12, 2021, 18:35 UTC): Corrects Agoric's name. We regret the error.