Returned Funds, Blacklisted Tokens Raise More Questions Than Answers in DeFi's Biggest Hack
The Poly Network attacker has returned $342 million of their $613 million haul. Should token issuers freeze the rest?
Chatter about the largest hack in decentralized finance (DeFi) history has only elevated, after the attacker or attackers returned at least $342 million worth of drained funds back to Poly Network, the DeFi platform that was hacked.
Now the crypto community is raising moral questions about how involved centralized players such as Binance and Circle should be when it comes to limiting monetary damage in the realm of cyberattacks on DeFi platforms.
Others are asking whether an attacker or attackers like those in Poly Network’s case should be pardoned or even praised as they slowly return funds back to the protocols they preyed upon.
At press time, more than $342 million worth of tokens – including USDC, BUSD, SHIB and FEI – have been returned to Poly Network through the Binance Smart Chain, Ethereum and Polygon blockchains, data show. The attacker or attackers started returning funds at approximately 08:47 UTC on Wednesday, and the latest return came at 19:06 UTC on the same day with roughly $84 million worth of USDC sent back to Poly Network on Polygon.
Centralization vs. decentralization
Despite the fanfare surrounding the attack on Poly Network, some market observers said it showcased the advantage of having at least some degree of centralization in DeFi.
As Tether Chief Technology Officer Paolo Ardoino quickly responded on Twitter that the stablecoin issuer froze about $33 million related to the Poly Network hack, many questioned the inaction from Binance Smart Chain (BSC), which is powered by centralized exchange Binance, and Circle, the company behind dollar-pegged stablecoin USDC.
A BSC spokesperson told CoinDesk that BSC is a “decentralized ecosystem where anyone and everyone can build on,” hinting that BSC cannot do much to roll back DeFi exploits on top of it.
Binance CEO Changpeng Zhao was more philosophical: “Unpopular opinion: nothing is risk free,” he said in a Twitter thread Tuesday, adding:
The response from Zhao and BSC came in the context of Binance retaining a significant degree of control over BSC. BSC’s security algorithm, known as Proof of Staked Authority (PoSA), is controlled by 21 node operators, who are elected by Binance Coin (BNB) holders. Binance is one of the largest holders of the BNB tokens, and so it still has significant sway over BSC, making the network more centralized than competing blockchains.
Lianfeng Zhang, chief security officer at blockchain security firm SlowMist, told CoinDesk that while BSC has fewer validators, a decision like freezing funds still needs to be voted on by the BSC community and the process can be “troubling and slow.”
Zhang also said that compared with Tether, USDC requires more compliance with little flexibility. Therefore, when an attack like the one on Poly Network occurs, it is almost impossible for Circle to act as fast as Tether did.
Circle didn't respond to CoinDesk’s requests for comment.
Paxos, the company that jointly administers BUSD with Binance, another dollar-pegged stablecoin that is part of the stolen funds, told CoinDesk it is currently "not doing anything" with blacklisting the involved tokens.
As the attacker or attackers started returning the drained funds, it appears they also had time to conduct a question-and-answer on the Ethereum blockchain.
The attacker or attackers allegedly wrote in one message embedded on a transaction on Ethereum that after spotting the bug on Poly Network, they ended up attacking the platform because they “can trust nobody.”
“I take the responsibility to expose the vulnerability before any insiders [are] hiding and exploiting it,” the message continued.
With the attacker or attackers becoming more engaged with the crypto community and having returned at least part of the funds, some members of the crypto world praised them as so-called white-hat hackers, a type of computer expert who ensures the security of a protocol by identifying and attacking its vulnerabilities.
In the Q&A, the attacker or attackers claimed they thought about informing Poly Network's staff about the bug but were afraid of a potential “traitor” who could be lured by the amount of money that was up for grabs.
However, according to Ari Redbord, head of legal and government affairs at blockchain intelligence firm TRM Labs, it is still too early to make a conclusion about the motives of the hacker or hackers.
“If it turns out that these attackers did have benign ambitions and that they were testing the infrastructure or testing the defenses of a DeFi protocol, this was not the way to do it,” Redbord, who previously worked in the U.S. Department of the Treasury as a senior advisor on terrorism and financial intelligence, said.
“Essentially, what you have here is people who lost their belief … hundreds of millions of dollars and potentially life savings [were taken],” he added.
UPDATE (Aug. 11, 21:27 UTC): Adds comments from Paxos.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.