$611 000 000 USD

AUGUST 2021

GLOBAL

POLY NETWORK

DESCRIPTION OF EVENTS

"In order to build a better next-generation internet infrastructure, we have launched a new cross-chain technology, the Poly Network. Poly Network is based on the side-chain/relay mode and adopts a two-layer architecture. It employs the Poly chain as a cross-chain coordinator, multiple homogeneous chains as crosschain transaction executors, and Relayer as a cross-chain information porter. By resolving issues such as trust, security and transaction issues of chain data, we have realized a safe, easy-to-use and efficient cross-chain system."

 

"Poly Network acts as a cross-chain interoperability bridge to facilitate the transfer of tokens between two relatively independent blockchains. As such, one of their main Poly Network smart contracts is the bridge itself. In order for bridges between chains to act effectively (e.g. for users to be able to use the network to transfer tokens across chains), they need to maintain large sums of liquidity. Whenever a user wants to “bridge” between chains Poly Network needs to efficiently burn/mint the equivalent assets on the respective chains."

 

"Poly Network is built to implement interoperability between multiple chains in order to build the next generation internet infrastructure. Authorized homogeneous and heterogeneous public blockchains can connect to Poly Network through an open, transparent admission mechanism and communicate with other blockchains. Poly Network has already integrated Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo and Huobi ECO Chain. More institutions and organizations are welcome to join Poly Network and build the next generation internet with us."

 

"The contract that issues these cross-chain token transfers uses “keepers” to verify and execute the transactions. Once the keeper signs on the source chain the CrossChainManager contract on the destination chain will check the Keeper’s signature for validity and execute the equivalent on the destination chain to complete the “bridge”."

 

"There is currently no indication that the Poly Network code had ever received an audit. Searching through the protocol’s GitHub repos did not indicate any audits had been performed or reported."

 

"On August 10, Poly Network suffered a $612 million hack—the largest crypto-related hack to date. Where the typical DeFi hack is against specific DeFi instruments, resulting in much smaller losses, in this case the attack was against Poly Network’s infrastructure, focusing on the DeFi platform itself and targeting control of the decentralized exchange’s (DEX) smart contracts."

 

"Since the smart contract executes the transactions and not the user themselves, the hacker was able to exploit the CrossChainManager smart contract and swap the “keepers” for a malicious keeper under their control. As a result, the main cross-chain contract on the Poly Network became completely controlled by the hacker, allowing him to unlock tokens that were supposed to remain locked within the bridge contract and move the tokens to addresses under his control. The hacker then replicated the attack across chains."

 

"As a result, the main cross-chain contract became completely controlled by the hacker, allowing him to unlock tokens that were supposed to be locked within the contract, send the tokens to addresses under their control, and then repeat the attack across chains."

 

"Poly has a contract called the "EthCrossChainManager". It's a privileged contract that has the right to trigger messages from another chain. It's a standard thing for cross-chain projects."

 

"It has a function named verifyHeaderAndExecuteTx that anyone can call to execute a cross-chain transaction."

 

"It (1) verifies that the block header is correct by checking signatures (seems the other chain was a poa sidechain or) and then (2) checks that the transaction was included within that block with a Merkle proof. Here's the code."

 

"One of the last things the function does is call executeCrossChainTx, which makes the call to the target contract. This is where the critical flaw sits. Poly checks that the target is a contract, but they forgot to prevent users from calling a very important target... the EthCrossChainData contract"

 

"By sending this cross-chain message, the user could trick the EthCrossChainManager into calling the EthCrossChainData contract, passing the onlyOwner check. Now the user just had to craft the right data to be able to trigger the function that changes the public keys…"

 

"The only remaining challenge was to figure out how to make the EthCrossChainManager call the right function. Now comes a little bit of complexity around how Solidity picks which function you're trying to call."

 

"The first four bytes of transaction input data is called the "signature hash" or "sighash" for short. It's a short piece of information that tells a Solidity contract what you're trying to do."

 

The sighash of a function is calculated by taking the first four bytes of the hash of "<function name>(<function input types>)". For example, the sighash of the ERC20 transfer function is the first four bytes of the hash of "transfer(address,uint256)".

 

"Poly's contract was willing to call any contract. However, it would only call the contract function that corresponded to the [right] sighash." "All the attacker had to do to call the right function was figure out some value for "_method" that, when combined with those other values and hashed, had the same leading four bytes as the sighash of our target function."

 

"With just a little bit of grinding, you can easily find some input that produces the right sighash. You don't need to find a full hash collision, you're only checking the first four bytes." "[H]ere's the actual sighash of the target function: http://ethers.utils.id ('putCurEpochConPubKeyBytes(bytes)').slice(0, 10) '0x41973cd9'"

 

"And the sighash that the attacker crafted... http://ethers.utils.id ('f1121318093(bytes,bytes,uint64)').slice(0, 10) '0x41973cd9'"

 

"Fantastic. No private key compromise required! Just craft the right data and boom... the contract will just hack itself!"

 

"This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function. Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract. It is not the case that this event occurred due to the leakage of the keeper’s private key."

 

"1. The core of this attack is that the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute specific cross-chain transactions through the _executeCrossChainTx function."

 

"2. Since the owner of the EthCrossChainData contract is the EthCrossChainManager contract, the EthCrossChainManager contract can modify the keeper of the contract by calling the putCurEpochConPubKeyBytes function of the EthCrossChainData contract."

 

"3. The verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can perform user-specified cross-chain transactions by calling the _executeCrossChainTx function internally. So the attacker only needs to pass in the carefully constructed data through the verifyHeaderAndExecuteTx function for the _executeCrossChainTx function to execute the call to the EthCrossChainData contract PutCurEpochConPubKeyBytes function to change the keeper role to the address specified attackers."

 

"4. After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract."

 

"Shortly after the exploit, an unexpected protagonist appeared, going by the name of hanashiro.eth."

 

"hanashiro.eth first gained attention when they sent the hacker a tip about how to handle USDT, for which they received 13.37 Ether from the hacker as a reward." "Many others sent messages to the hacker afterwards, but none were quite as successful as hanashiro.eth."

 

"Hanashiro sent 1.337 of the 13.37 ETH he received to Vitalik." "Meanwhile our old friend hanashiro is now on a donation spree. Even donated to @RektHQ who will be writing extensively on him in their next report."

 

"With a truly crypto native level of philanthropic showmanship, hanashiro.eth went on to donate their stolen money to a few of the foundational organisations which support our industry, such as Infura, Etherscan, and rekt.news."

 

"Tether froze all of the 33M USDT that were stolen on the Ethereum chain." "$33M USDT frozen."

 

"By this point th[ings] had really hit the fan; and all eyes were on Poly Network, who resorted to posting an open letter to the attacker begging them to return the funds."

 

"[T]hen @WardBradt tweeted."

 

"Did the PolyNetwork Exploiter accidentally use the wrong sender address for this tx? The sender address is tied to FTX, Binance, Okex accounts."

 

"In all the swapping the hacker has done in an effort to obfuscate their trail, it appears the hacker had at one point reused a wallet that already had previous transactions with some prominent exchanges that could have identifying “know your customer” (KYC) information on him."

 

"Surely a hacker who feels confident enough to attempt an attack of this scale wouldn’t make such a basic OPSEC error? Or maybe they used fake KYC documents…"

 

"Either way, we began to see signs of fear from the attacker."

 

"The hacker began to suggest that they might return "some tokens" or even abandon them, saying that they were "not so interested in the money"."

 

"Then the hacker considered the idea of creating a DAO to distribute the stolen funds."

 

"Finally, the pressure became too much, and the hacker announced that they were “READY TO SURRENDER”"

 

"In an unexpected and unprecedented move, the attacker is now returning the funds to Poly Network."

 

"They announced that they were "READY TO RETURN THE FUNDS!" in an Ethereum transaction that was sent from the same wallet used for the attack."

 

"Before sending the first return transaction, the hacker created a token called "The hacker is ready to surrender" and sent this token to Poly Network who announced that they had set up a multisig controlled by ‘’known Poly addresses’’."

 

"In an August 17 Medium article, the Poly Network team announced that they had offered the hacker, whom they refer to as “Mr. White Hat,” the position of Chief Security Officer along with a $500,000 bounty for identifying the exploit. In the post, the team declared they have “no intention of holding Mr. White Hat legally responsible.”"

 

"CipherTrace has confirmed nearly all funds have been returned to Poly Network into the addresses they had developed specifically for the hacker to return the funds."

 

"the method to fix the vulnerability is using allow lists. The allow lists are initialized when creating the EthCrossChainManager. By doing so, this patch can ensure" that "[o]nly the contract in the allow lists can invoke the crossChain function, which is used to start the cross-chain transaction" and "[o]nly the method and the contract in the allow lists can be invoked by the cross-chain transaction."

The Poly Network allows different smart chains to interact with one another securely. However, it contained a vulnerability which allowed funds to be removed. A hacker exploited the vulnerability, messed up their transactions such that their identity became known, and then proceeded to return the funds in exchange for a $500k bounty and legal immunity.

 

It remains to be seen whether the legal immunity will hold up in court. In the meantime, the funds have been distributed back to affected users.

HOW COULD THIS HAVE BEEN PREVENTED?

It's not wise placing such a large amount of liquidity in a smart contract hot wallet, especially without an audit. The only truly secure storage of assets is an offline multi-sig wallet. In the future, it's very likely that insurance protocols will reduce some of the risk.

 

This was a lucky case in that losses were minimized by the hacker returning the funds.

 

Check Our Framework For Safe Secure Exchange Platforms

Cryptocurrency Heist: Poly Network Says Hackers Stole Record $600 Million | Technology News (Aug 18)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 10)
The Retrospection Of The Poly Network Hack From A Security Researcher Perspective (Aug 28)
The Further Analysis Of The Poly Network Attack (Aug 28)
The Analysis And Q A Of Poly Network Being Hacked (Aug 28)
The Root Cause Of Poly Network Being Hacked (Aug 28)
Polynetwork Bug Review And Patch Analysis (Aug 28)
Poly Network Hack Analysis - Largest Crypto Hack | Mudit Gupta's Blog (Aug 28)
Rekt - Poly Network - REKT (Aug 28)
@kelvinfichter Twitter (Aug 28)
SlowMist: Tracking possible identification clues related to Poly Network attackers | by SlowMist | Medium (Aug 28)
Hacker Returns Poly Network Funds Ransom Deals In The Time Of Defi (Aug 28)
The 600m Poly Network Hack The Biggest Hack In Defi History (Aug 28)
@sniko_ Twitter (Aug 28)
Poly network and Hacker Communicate (Aug 28)
Poly Network Suffers Largest Crypto Hack Ever Recorded - CipherTrace (Sep 9)
PolyNetwork (Sep 16)
Poly Network Loses $611 Million in the Biggest DeFi Hack to Data (Sep 16)
PolyNetwork: An Interoperability Protocol for Heterogeneous Blockchains (Sep 18)
@PolyNetwork2 Twitter (Sep 18)
Contract Address 0x7cea671dabfba880af6723bddd6b9f4caa15c87b | BscScan  (Sep 18)
Binance Transaction Hash (Txhash) Details | BscScan  (Sep 18)
Binance Transaction Hash (Txhash) Details | BscScan  (Sep 18)
Binance Transaction Hash (Txhash) Details | BscScan  (Sep 18)
Binance Transaction Hash (Txhash) Details | BscScan  (Sep 18)
Binance Transaction Hash (Txhash) Details | BscScan  (Sep 18)
Binance Transaction Hash (Txhash) Details | BscScan  (Sep 18)
Binance Transaction Hash (Txhash) Details | BscScan  (Sep 18)
Contract Address 0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270 | Etherscan  (Sep 18)
Ethereum Transaction Hash (Txhash) Details | Etherscan  (Sep 18)
Ethereum Transaction Hash (Txhash) Details | Etherscan  (Sep 18)
@paoloardoino Twitter (Sep 18)
@PolyNetwork2 Twitter (Sep 18)
Ethereum Transaction Hash (Txhash) Details | Etherscan  (Sep 18)
@wardbradt Twitter (Sep 18)
Polynetwork and Hacker Communicate - Google Drive (Sep 18)
The Informal Security Review Of The Patch Of The Poly Network (Oct 14)
https://mobile.twitter.com/certik_io/status/1426219879171072001 (Jan 10)
https://mobile.twitter.com/certik_io/status/1425674497177366529 (Jan 10)
The Poly Hack and Crypto’s Trust Issues | David Z. Morris – Defi (Feb 12)
DeFi Protocol PolyNetwork Suffers Major Attack, Over $600 Million Worth of Crypto Stolen – Defi (Feb 12)
Poly Hack Raises More Questions Than Answers – Defi (Feb 12)
Hackers Stole Over $600 Million from Poly Network Through Exploit – Defi (Feb 12)
Poly Network Prepares for Hacker to Return Millions in Stolen Crypto – Defi (Feb 12)
Crypto Panhandlers Beg Poly Network Attacker for Share of $613M Haul – Defi (Feb 12)
Cross-Chain DeFi Site Poly Network Hacked; Hundreds of Millions Potentially Lost – Defi (Feb 12)
Poly Hack Raises More Questions Than Answers - CoinDesk (May 7)
Polynetwork Hack Analysis (May 30)
https://www.bbc.com/news/business-58180692 (Jul 2)
play (Jul 2)
Bloomberg - Are you a robot? (Jul 2)
Hackers return $260 mln to cryptocurrency platform after massive theft | Reuters (Jul 2)
Rekt - Poly Network - REKT (Jul 22)
https://etherscan.io/address/0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963 (Jul 22)
https://etherscan.io/txs?a=0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963&p=33 (Jul 22)
https://etherscan.io/tx/0xae2442c5b5721df8c190fd8f59b53b6dc56a875fb03035ad34276a598ddf7d31 (Jul 22)
https://bscscan.com/txs?a=0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71&p=105 (Jul 22)
@amanusk_ Twitter (Jul 22)
https://etherscan.io/tx/0xdf3afc47c7914e06ddb1be19afcd769e558111d353e55273a62c4a96e6a6090f (Jul 22)
@amanusk_ Twitter (Jul 22)
@HsakaTrades Twitter (Jul 22)
@TheBlock__ Twitter (Jul 22)
@HsakaTrades Twitter (Jul 22)
@UnderTheBreach Twitter (Jul 22)
@HsakaTrades Twitter (Jul 22)
https://www.theblock.co/post/114045/at-least-611-million-stolen-in-massive-cross-chain-hack (Jul 22)
https://www.breadcrumbs.app/reports/671 (Jul 22)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.