DeFi Super-GAU: PolyNetwork relieved of 611 million US dollars

Security gaps are still one of the teething troubles of DeFi protocols. In the young financial niche, it is not uncommon to proceed according to the trial-and-error principle. Faulty smart contracts can then prove to be very costly in retrospect.

Compared to yesterday’s attack on PolyNetwork, however, the hacks of recent history seem like odds and ends. In what appears to have been a long-planned attack, a hitherto unknown hacker captured around 611 million US dollars via the cross-chain platform. Ethereum ($273 million), the Binance smart chain ($253 million), and Polygon ($85 million) were all helped. The hack is the largest in DeFi history.

The exact sequence of events cannot be fully reconstructed at this point. Crypto forensics firm BlocSec writes in a blog post that “one possible reason is either the leak of the private key used to sign the cross-chain message, or that there is a flaw in the PolyNetwork signing process that was abused to sign a manipulated message.” There is also speculation about a possible inside job.

PolyNetwork goes on the offensive

The PolyNetwork team itself commented on the matter in a series of tweets. According to them, a vulnerability in the Smart Contract had made the hack possible: “After an initial investigation, we found the cause of the vulnerability. The hacker exploited a vulnerability between contract calls.” In addition, the platform went on the offensive in a letter addressed directly to the attacker:

Law enforcement in all countries will consider this a serious economic crime and you will be prosecuted. It is very unwise of you to make any further transactions. The money you stole came from tens of thousands of members of the crypto community, the people.

PolyNetwork has urged miners of the affected blockchains to “blacklist” the relevant tokens from the attacker’s address. Support, meanwhile, is coming from the crypto space. Tether CTO Paolo Ardoini claimed to have “frozen” $33 million in Tether (USDT) in connection with the hack. Jay Hao, CEO of crypto exchange OKEx, wrote that they were “already on the case” and “watching the movement of coins.” Huobi co-founder Jun Du <a href=”https://twitter.com/DujunX/status/1425100770588954626″ target=”_blank” rel=”noopener”>also appeases that “security teams are already tracking and identifying the addresses involved.” And Binance CEO Changpeng “CZ” Zhao also promises to“proactively help” with tracking.

See also  Solana (SOL) hits $100 for the first time after the revelation of the mysterious "Ignition" event

SlowMist already seems to be one step ahead. According to the blockchain security team, they have already been able to “capture the attacker’s mailbox, IP, and device fingerprints through on-chain and off-chain tracking.” Possible clues “to the identity of the PolyNetwork attacker” are now being tracked.