PolyNetwork, a cross-chain bridge platform, was hacked on July 2, where the hacker could issue billions of tokens out of thin air to gain profit. Since the attack, PolyNetwork has temporarily suspended its services, actively engaging with relevant parties while assessing the damage done.
Details behind the PolyNetwork hack
PolyNetwork recently suffered what was first reported as a $34b hack. However, the realized amounts were reportedly much lower since most tokens were illiquid. The hack was first reported by Peckshield, an on-chain data analytics and security company, who asked the platform to investigate the issue.
Hi @PolyNetwork2 , you may want to take a look:https://t.co/cmbxAsFPGLhttps://t.co/4cqVV6EryK
— PeckShield Inc. (@peckshield) July 2, 2023
The attacker minted 24 billion BUSD and BNB on the Metis blockchain, 999 trillion SHIB on Heco, and millions of other tokens on Polygon and Avalanche. Immediately after the attack, the attacker’s wallet held more than $42 billion worth of crypto, but just on paper.
PolyNetwork later confirmed the DeFi exploit and paused its smart contracts EthCrossChainManager on several chains, BSC, Ethereum, and Metis. The team confirmed the exploit affected 57 crypto assets on ten blockchains. However, the platform did not specify the amount stolen but asked its users to remain calm and trust their commitment to safeguarding their assets.
Dear users, we would like to inform you that Poly Network is temporarily suspending its services due to a recent attack. We are actively engaging with relevant parties and diligently assessing the extent of the affected assets. 【1/3】
— Poly Network (@PolyNetwork2) July 2, 2023
According to DeFi security analyst Arhat, the exploit was caused by a vulnerability in a smart contract that gave the hacker the ability to create a malicious parameter with a forged validator signature and block header.
The hacker could issue tokens from the Ethereum pool of PolyNetwork to their address on other chains like Metis, BNB Chain, and Polygon since the smart contract accepted this and allowed them to avoid the verification process. Other chains underwent the same procedure, which allowed the token stockpile to grow.
Blockchain security solutions provider Dedaub identified flaws in the protocol’s multi-signature system, noting that it had a basic “3 of 4” multi-signature setup over two years. Dedaub noted that, looking at the final event, they found that the private keys to the marked addresses had been compromised.
Dedaub explained the attack wasn’t particularly sophisticated since no logic flaws were used. In addition, PolyNetwork’s delay in responding cost the platform $5.5 million in stolen cryptocurrency because it took seven hours to react. Fortunately, low liquidity in several of the tokens stopped additional losses.
‘$34 billion’ PolyNetwork hack aftermath
Shortly after the hack, Metis developers confirmed that there was no liquidity available for BUSD and BNB while the ill-acquired METIS tokens were locked on the PolyNetwork bridge; hence all Metis Andromeda funds were safe.
We are aware of Polybridge’s ongoing situation, and are currently in contact with the PolyNetwork team to minimize the impact of the attack and further asses the situation.
In regards to the newly minted BNB and BUSD on Metis, there is no sell liquidity available.
All funds on…
— Metis 🌿 (@MetisDAO) July 2, 2023
Lookonchain, an analytics firm, mentioned that the hacker had found liquidity on other acquired tokens and exchanged 94 billion SHIB for 360 ETH, 15 million RFuel for 27 ether, and 495 million COOK for 16 ether. In addition, they noted the hacker was transferring assets and 1 ETH to new wallets, likely to sell the assets.
According to Arhat, the hacker could only convert a small portion of the tokens, estimating about $400,000 worth of crypto. However, SlowMist, a blockchain security firm, estimated the gains were higher, with the hacker cashing in over $4 million of digital assets. The amount included ETH worth $3 million and SSHIB worth $700,000.
🚨MistTrack Security Alert🚨@PolyNetwork2 has been hacked again.
1/ The main hacker profit address is 0xe0af…a599. The Hacker has cashed in over $4.39 million in mainstream assets. pic.twitter.com/SYPFI4n9kF
— MistTrack🕵️ (@MistTrack_io) July 2, 2023
As the investigation continues, Binance has assured users that they remain unaffected since the exchange does not accept PolyNetwork deposits.
This does not affect @Binance users. We do not support deposits from this network. Our security team is assisting them in its investigations though. Stay #SAFU. https://t.co/0EsD5Ux6vW
— CZ 🔶 Binance (@cz_binance) July 2, 2023
Meanwhile, PolyNetwork also issued a statement urging project teams and token holders to remove liquidity and unlock liquidity provider tokens.
PolyNetwork’s second hack in two years
The recent PolyNetwork attack is the second time hackers have targeted the platform. In 2021, the protocol was exploited in a record exploit involving over $600 million in assets.
The hack resulted from an alleged private key leak used to sign a cross-chain message. The funds were almost all returned apart from $33 million in Tether after PolyNetwork offered $500k to the hacker to return the money and gain immunity.
Disclaimer
The views and opinions stated by the author, or any people named in this article, are for informational ideas only and do not establish financial, investment, or other advice. Investing in or trading crypto assets comes with a risk of financial loss.
Source: https://www.thecoinrepublic.com/2023/07/05/polynetwork-recap-hacker-gets-access-to-cryptos-worth-34b/