Poly Network exploit: Difference between revisions
Content deleted Content added
#suggestededit-add-desc 1.0 Tags: Mobile edit Mobile app edit Android app edit |
Rescuing 9 sources and tagging 0 as dead.) #IABot (v2.0.9.5 |
||
| Line 3: | Line 3: | ||
== Background == |
== Background == |
||
Poly Network is an interoperability protocol that lets users trade one [[cryptocurrency]] for another, such as trading [[Bitcoin]] for [[Ethereum]].<ref>{{cite web |url=https://poly.network/PolyNetwork-whitepaper.pdf |title=Poly Network Whitepaper |access-date=2020-05-20}}{{non-primary source needed|date=May 2022}}</ref> Before the attack, Poly Network had transferred $10 billion in digital assets between blockchains, with total value of nearly $1 billion. |
Poly Network is an interoperability protocol that lets users trade one [[cryptocurrency]] for another, such as trading [[Bitcoin]] for [[Ethereum]].<ref>{{cite web |url=https://poly.network/PolyNetwork-whitepaper.pdf |title=Poly Network Whitepaper |access-date=2020-05-20 |archive-date=2020-10-26 |archive-url=https://web.archive.org/web/20201026210614/https://www.poly.network/PolyNetwork-whitepaper.pdf |url-status=live }}{{non-primary source needed|date=May 2022}}</ref> Before the attack, Poly Network had transferred $10 billion in digital assets between blockchains, with total value of nearly $1 billion. |
||
== Attack == |
== Attack == |
||
The hackers transferred approximately $610 million of the most valuable digital assets to three addresses they controlled on Ethereum, [[Binance|Binance Smart Chain]] and Polygon.<ref>{{Cite web|last=Ponciano|first=Jonathan|title=More Than $600 Million Stolen In Ethereum And Other Cryptocurrencies—Marking One Of Crypto's Biggest Hacks Ever|url=https://www.forbes.com/sites/jonathanponciano/2021/08/10/more-than-600-million-stolen-in-ethereum-and-other-cryptocurrencies-marking-one-of-cryptos-biggest-hacks-ever/|access-date=2021-12-04|website=Forbes|language=en}}</ref><ref>{{Cite web |last=KrakenFX |date=2021-09-22 |title=Abusing Smart Contracts to Steal $600 million: How the Poly Network Hack Actually Happened |url=https://blog.kraken.com/post/11078/abusing-smart-contracts-to-steal-600-million-how-the-poly-network-hack-actually-happened/ |access-date=2022-07-17 |website=Kraken Blog |language=en-US}}</ref> |
The hackers transferred approximately $610 million of the most valuable digital assets to three addresses they controlled on Ethereum, [[Binance|Binance Smart Chain]] and Polygon.<ref>{{Cite web|last=Ponciano|first=Jonathan|title=More Than $600 Million Stolen In Ethereum And Other Cryptocurrencies—Marking One Of Crypto's Biggest Hacks Ever|url=https://www.forbes.com/sites/jonathanponciano/2021/08/10/more-than-600-million-stolen-in-ethereum-and-other-cryptocurrencies-marking-one-of-cryptos-biggest-hacks-ever/|access-date=2021-12-04|website=Forbes|language=en|archive-date=2021-12-04|archive-url=https://web.archive.org/web/20211204072406/https://www.forbes.com/sites/jonathanponciano/2021/08/10/more-than-600-million-stolen-in-ethereum-and-other-cryptocurrencies-marking-one-of-cryptos-biggest-hacks-ever/|url-status=live}}</ref><ref>{{Cite web |last=KrakenFX |date=2021-09-22 |title=Abusing Smart Contracts to Steal $600 million: How the Poly Network Hack Actually Happened |url=https://blog.kraken.com/post/11078/abusing-smart-contracts-to-steal-600-million-how-the-poly-network-hack-actually-happened/ |access-date=2022-07-17 |website=Kraken Blog |language=en-US |archive-date=2022-07-17 |archive-url=https://web.archive.org/web/20220717193003/https://blog.kraken.com/post/11078/abusing-smart-contracts-to-steal-600-million-how-the-poly-network-hack-actually-happened/ |url-status=live }}</ref> |
||
After the attack, the Poly team asked exchanges and miners to be aware of the flow of stolen tokens and called for the hacker's transactions to be stopped, [[Tether (cryptocurrency)|Tether]] froze $33 million worth of USDT. In an open letter on [[Twitter]], the Poly team wanted to establish communication with the hackers and urge them to return the stolen tokens. {{Citation needed|date=June 2022}} |
After the attack, the Poly team asked exchanges and miners to be aware of the flow of stolen tokens and called for the hacker's transactions to be stopped, [[Tether (cryptocurrency)|Tether]] froze $33 million worth of USDT. In an open letter on [[Twitter]], the Poly team wanted to establish communication with the hackers and urge them to return the stolen tokens. {{Citation needed|date=June 2022}} |
||
The hackers announced on August 11, 2021 that they had been planning to return the tokens. They claimed that the purpose of the theft was to reveal vulnerabilities and secure Poly Network. They posted a Q&A to communicate with the public by embedding messages in transactions with their addresses.<ref>{{cite news |last=Russon |first=Mary-Ann|date=2021-08-11 |title=Cryptocurrency heist hacker returns $260m in funds |url=https://www.bbc.com/news/business-58180692 | |
The hackers announced on August 11, 2021 that they had been planning to return the tokens. They claimed that the purpose of the theft was to reveal vulnerabilities and secure Poly Network. They posted a Q&A to communicate with the public by embedding messages in transactions with their addresses.<ref>{{cite news |last=Russon |first=Mary-Ann |date=2021-08-11 |title=Cryptocurrency heist hacker returns $260m in funds |url=https://www.bbc.com/news/business-58180692 |work=BBC |access-date=2021-08-11 |archive-date=2021-08-11 |archive-url=https://web.archive.org/web/20210811231827/https://www.bbc.com/news/business-58180692 |url-status=live }}</ref> |
||
The hackers required multi-signature addresses for transfer. Poly Network generated a collection address and started to recover the assets that were returned first on August 11. On August 13, the hackers returned assets worth $340 million and transferred the bulk of the rest to a multi-signature address jointly controlled by them and Poly Network.<ref>{{cite news |last=John |first=Alun|date=2021-08-14 |title=Crypto platform Poly Network rewards hacker with $500,000 'bug bounty' |url=https://www.reuters.com/technology/crypto-platform-poly-network-rewards-hacker-with-500000-bug-bounty-2021-08-13/ | |
The hackers required multi-signature addresses for transfer. Poly Network generated a collection address and started to recover the assets that were returned first on August 11. On August 13, the hackers returned assets worth $340 million and transferred the bulk of the rest to a multi-signature address jointly controlled by them and Poly Network.<ref>{{cite news |last=John |first=Alun |date=2021-08-14 |title=Crypto platform Poly Network rewards hacker with $500,000 'bug bounty' |url=https://www.reuters.com/technology/crypto-platform-poly-network-rewards-hacker-with-500000-bug-bounty-2021-08-13/ |work=Reuters |access-date=2021-08-14 |archive-date=2021-08-13 |archive-url=https://web.archive.org/web/20210813210134/https://www.reuters.com/technology/crypto-platform-poly-network-rewards-hacker-with-500000-bug-bounty-2021-08-13/ |url-status=live }}</ref><ref>{{Cite web |date=2021-08-12 |title=Poly Network Attacker Returning Funds After Pulling Off Biggest DeFi Theft Ever |url=https://blog.chainalysis.com/reports/poly-network-hack-august-2021/ |access-date=2022-07-17 |website=Chainalysis |language=en-US |archive-date=2022-07-17 |archive-url=https://web.archive.org/web/20220717193003/https://blog.chainalysis.com/reports/poly-network-hack-august-2021/ |url-status=live }}</ref> |
||
After receiving tokens, Poly Network started to address the hackers as "[[White hat (computer security)|Mr. White Hat]]" and offered to reward them with a $500,000 bug bounty and the position of "chief security advisor" of Poly Network, as a strategy to ensure safe return of the rest of the affected assets.<ref>{{cite news |author=<!--Staff writer(s)/no by-line.--> | title=White hat' hacker behind $610m crypto heist returns most of money |url=https://www.theguardian.com/technology/2021/aug/13/white-hat-hacker-behind-610m-crypto-heist-returns-most-of-money | work=The Guardian |access-date=2021-08-13}}</ref> |
After receiving tokens, Poly Network started to address the hackers as "[[White hat (computer security)|Mr. White Hat]]" and offered to reward them with a $500,000 bug bounty and the position of "chief security advisor" of Poly Network, as a strategy to ensure safe return of the rest of the affected assets.<ref>{{cite news |author=<!--Staff writer(s)/no by-line.--> | title=White hat' hacker behind $610m crypto heist returns most of money |url=https://www.theguardian.com/technology/2021/aug/13/white-hat-hacker-behind-610m-crypto-heist-returns-most-of-money | work=The Guardian |access-date=2021-08-13}}</ref> |
||
The last of the hacked money was returned to Poly Network on August 25.<ref>{{Cite web |last=Browne |first=Ryan |date=2021-08-23 |title=Hacker behind $600 million crypto heist returns final slice of stolen funds |url=https://www.cnbc.com/2021/08/23/poly-network-hacker-returns-remaining-cryptocurrency.html |access-date=2022-07-17 |website=CNBC |language=en}}</ref> |
The last of the hacked money was returned to Poly Network on August 25.<ref>{{Cite web |last=Browne |first=Ryan |date=2021-08-23 |title=Hacker behind $600 million crypto heist returns final slice of stolen funds |url=https://www.cnbc.com/2021/08/23/poly-network-hacker-returns-remaining-cryptocurrency.html |access-date=2022-07-17 |website=CNBC |language=en |archive-date=2022-07-17 |archive-url=https://web.archive.org/web/20220717193014/https://www.cnbc.com/2021/08/23/poly-network-hacker-returns-remaining-cryptocurrency.html |url-status=live }}</ref> |
||
== Reaction == |
== Reaction == |
||
Poly Network's decision to refer to the hackers as "white hats" angered some in the security world who worried that it might set a precedent for criminal hackers to whitewash their actions. White hat hacker Katie Paxton-Fear said that "labelling this hack as a white hat is really disappointing".<ref name="BBC">{{cite news |last=Tidy |first=Joe|date=2021-08-13 |title=Crypto hacker offered reward after $600m heist |url=https://www.bbc.com/news/business-58193396 | |
Poly Network's decision to refer to the hackers as "white hats" angered some in the security world who worried that it might set a precedent for criminal hackers to whitewash their actions. White hat hacker Katie Paxton-Fear said that "labelling this hack as a white hat is really disappointing".<ref name="BBC">{{cite news |last=Tidy |first=Joe |date=2021-08-13 |title=Crypto hacker offered reward after $600m heist |url=https://www.bbc.com/news/business-58193396 |work=BBC |access-date=2021-08-13 |archive-date=2021-08-12 |archive-url=https://web.archive.org/web/20210812231637/https://www.bbc.com/news/business-58193396 |url-status=live }}</ref> Charlie Steele, former Department of Justice and FBI official, thought "Private companies have no authority to promise immunity from criminal prosecution," and "in this event where a hacker stole the $600m 'for fun' and then returned most of it, all while remaining anonymous, is not likely to lessen regulators' concerns about the variety of risks posed by cryptocurrencies."<ref name="BBC"></ref> |
||
== Aftermath == |
== Aftermath == |
||
Poly Network launched the global bug bounty program on Immunefi. The program aims to encourage more security agencies and white hat organizations to participate in the audit of Poly Network's core functions, especially to address potential security risks. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System — the rewards range up to $100,000 for critical vulnerabilities.<ref>{{cite web |url=https://medium.com/immunefi/poly-network-joins-immunefi-with-100-000-bug-bounty-after-hack-d349e1192853 |title=Poly Network Joins Immunefi With $100,000 Bug Bounty After Hack |access-date=2021-08-17}}</ref> |
Poly Network launched the global bug bounty program on Immunefi. The program aims to encourage more security agencies and white hat organizations to participate in the audit of Poly Network's core functions, especially to address potential security risks. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System — the rewards range up to $100,000 for critical vulnerabilities.<ref>{{cite web |url=https://medium.com/immunefi/poly-network-joins-immunefi-with-100-000-bug-bounty-after-hack-d349e1192853 |title=Poly Network Joins Immunefi With $100,000 Bug Bounty After Hack |access-date=2021-08-17 |archive-date=2021-08-17 |archive-url=https://web.archive.org/web/20210817062822/https://medium.com/immunefi/poly-network-joins-immunefi-with-100-000-bug-bounty-after-hack-d349e1192853 |url-status=live }}</ref> |
||
== References == |
== References == |
||
Revision as of 22:28, 21 May 2024
 | This article may be too technical for most readers to understand. (June 2022) |
The Poly Network exploit was an attack conducted by anonymous hackers on August 10, 2021. The attack transferred over $610 million in digital cryptocurrency to the hackers. All assets were returned to Poly Network over the following 15 days. It was one of the largest security incidents in DeFi's history in terms of mark-to-market value.
Background
Poly Network is an interoperability protocol that lets users trade one cryptocurrency for another, such as trading Bitcoin for Ethereum.[1] Before the attack, Poly Network had transferred $10 billion in digital assets between blockchains, with total value of nearly $1 billion.
Attack
The hackers transferred approximately $610 million of the most valuable digital assets to three addresses they controlled on Ethereum, Binance Smart Chain and Polygon.[2][3]
After the attack, the Poly team asked exchanges and miners to be aware of the flow of stolen tokens and called for the hacker's transactions to be stopped, Tether froze $33 million worth of USDT. In an open letter on Twitter, the Poly team wanted to establish communication with the hackers and urge them to return the stolen tokens. [citation needed]
The hackers announced on August 11, 2021 that they had been planning to return the tokens. They claimed that the purpose of the theft was to reveal vulnerabilities and secure Poly Network. They posted a Q&A to communicate with the public by embedding messages in transactions with their addresses.[4]
The hackers required multi-signature addresses for transfer. Poly Network generated a collection address and started to recover the assets that were returned first on August 11. On August 13, the hackers returned assets worth $340 million and transferred the bulk of the rest to a multi-signature address jointly controlled by them and Poly Network.[5][6]
After receiving tokens, Poly Network started to address the hackers as "Mr. White Hat" and offered to reward them with a $500,000 bug bounty and the position of "chief security advisor" of Poly Network, as a strategy to ensure safe return of the rest of the affected assets.[7]
The last of the hacked money was returned to Poly Network on August 25.[8]
Reaction
Poly Network's decision to refer to the hackers as "white hats" angered some in the security world who worried that it might set a precedent for criminal hackers to whitewash their actions. White hat hacker Katie Paxton-Fear said that "labelling this hack as a white hat is really disappointing".[9] Charlie Steele, former Department of Justice and FBI official, thought "Private companies have no authority to promise immunity from criminal prosecution," and "in this event where a hacker stole the $600m 'for fun' and then returned most of it, all while remaining anonymous, is not likely to lessen regulators' concerns about the variety of risks posed by cryptocurrencies."[9]
Aftermath
Poly Network launched the global bug bounty program on Immunefi. The program aims to encourage more security agencies and white hat organizations to participate in the audit of Poly Network's core functions, especially to address potential security risks. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System — the rewards range up to $100,000 for critical vulnerabilities.[10]
References
- ^ "Poly Network Whitepaper" (PDF). Archived (PDF) from the original on 2020-10-26. Retrieved 2020-05-20.[non-primary source needed]
- ^ Ponciano, Jonathan. "More Than $600 Million Stolen In Ethereum And Other Cryptocurrencies—Marking One Of Crypto's Biggest Hacks Ever". Forbes. Archived from the original on 2021-12-04. Retrieved 2021-12-04.
- ^ KrakenFX (2021-09-22). "Abusing Smart Contracts to Steal $600 million: How the Poly Network Hack Actually Happened". Kraken Blog. Archived from the original on 2022-07-17. Retrieved 2022-07-17.
- ^ Russon, Mary-Ann (2021-08-11). "Cryptocurrency heist hacker returns $260m in funds". BBC. Archived from the original on 2021-08-11. Retrieved 2021-08-11.
- ^ John, Alun (2021-08-14). "Crypto platform Poly Network rewards hacker with $500,000 'bug bounty'". Reuters. Archived from the original on 2021-08-13. Retrieved 2021-08-14.
- ^ "Poly Network Attacker Returning Funds After Pulling Off Biggest DeFi Theft Ever". Chainalysis. 2021-08-12. Archived from the original on 2022-07-17. Retrieved 2022-07-17.
- ^ "White hat' hacker behind $610m crypto heist returns most of money". The Guardian. Retrieved 2021-08-13.
- ^ Browne, Ryan (2021-08-23). "Hacker behind $600 million crypto heist returns final slice of stolen funds". CNBC. Archived from the original on 2022-07-17. Retrieved 2022-07-17.
- ^ a b Tidy, Joe (2021-08-13). "Crypto hacker offered reward after $600m heist". BBC. Archived from the original on 2021-08-12. Retrieved 2021-08-13.
- ^ "Poly Network Joins Immunefi With $100,000 Bug Bounty After Hack". Archived from the original on 2021-08-17. Retrieved 2021-08-17.