Reading 4 min Published Updated
Additional details come after the July 2 attack on the Poly Network cross-chain bridge platform, in which a hacker was able to issue billions of tokens out of thin air for profit.
In a July 2 tweet, Poly Network confirmed that it was the latest victim of a DeFi exploit after the attackers managed to manipulate the smart contract function in the bridge protocol, adding that it would temporarily suspend services.
In the latest update, the team revealed that the exploit affected 57 crypto assets across 10 blockchains, including Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKx, and others such as Metis.
He did not specify how much was stolen in the attack, but Peckshield previously reported that the attacker transferred at least $5 million worth of cryptocurrency.
“We have already begun communicating with centralized exchanges and law enforcement agencies and have reached out to them for help,” the team said in a July 3 update.
He also advised project teams and token holders to withdraw liquidity and unlock their LP (liquidity provider) tokens.
$34 billion Poly Network hack
DeFi security analyst @0xArhat said the exploit was the result of a smart contract vulnerability that allowed a hacker to “create a malicious parameter containing a fake validator signature and block header.”
This was adopted by a smart contract allowing a hacker to bypass the verification process, allowing them to issue tokens from the Ethereum Poly Network pool to their own address on other chains such as Metis, BNB Chain and Polygon.
This process was repeated for other chains, allowing a supply of tokens to build up.
According to the analyst, at one point the hacker’s wallet contained about $42 billion worth of tokens, but he was only able to convert and steal some of it.
“In this way, the hacker was able to create billions of tokens on various blockchains that did not exist before, and transfer them to his own wallet addresses.”
Poly Network’s latest exploit has been called the “34 billion Poly Network hack” by blockchain security solutions provider Dedaub.
Getting to the bottom of the “34 billion” Poly network hack with a technical postmortem.
TL; DR
Poly network had a simple 3 of 4 multisig arrangement over 2 years!
Looking at the final event we found that the private keys to the addresses marked were compromised. pic.twitter.com/Y0eMJXcYso
— Dedaub (@dedaub) June 2, 2023
Dedaub noted shortcomings in the protocol’s multi-signature, stating that it had a simple “3 of 4” multi-signature scheme for two years, adding:
“Looking at the final event, we found that the private keys to the marked addresses were compromised.”
Dedaub explained that the attack was not difficult as no logical fallacies were used. He added that Poly Network was slow to respond to the response within seven hours, costing the platform $5.5 million in stolen cryptocurrency. Fortunately, the lack of liquidity in many tokens prevented further losses.
Related: Over $204M Lost to DeFi Hacks and Scams in Q2
Following the attack, Binance CEO Changpeng Zhao reassured customers, stating that “This does not affect Binance users. We do not support deposits from this network.”
Poly Network got rekt again; allegedly because of compromised hot keys.
It’s going to keep happening untill our industry changes our approach to security.
Smart contract audits only scratch the surface.
ps Poly network has NOTHING to do with Polygon. https://t.co/n1qI48b4Kb
— Mudit Gupta (@Mudit_Gupta) June 2, 2023
Cointelegraph reached out to Poly Network for more information, but has not received a response as of press time.
Poly Network has already been attacked once in one of the largest exploits in the industry in August 2021, when hackers later revealed to be linked to the North Korean hacking collective Lazarus Group stole over $600 million.