Jump to content

Poly Network exploit

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Pppery (talk | contribs) at 00:33, 10 June 2022 (Cleanup, remove excessive technical detail and redundant information; let's avoid saying "white-hat hacker" in wikivoice given the criticism section; remove massively outdated "exploit analysis" section; add maintenance tags). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

On August 10, 2021, Poly Network was attacked by anonymous hackers, causing over $610 million in digital cryptocurrency at the price of that date to be transferred to hacker-controlled addresses. Eventually, all assets were returned to Poly Network over the next 15 days. This was one of the largest security incident in DeFi's history in terms of the mark-to-market value of stolen assets.

Poly Network is an interoperability protocol for blockchain, which lets users swap tokens from one digital ledger to another. Poly Network works by facilitating exchange between several blockchains as users trade one cryptocurrency for another, such as trading Bitcoin for Ether..[1]

Before the attack, Poly Network had transferred $10 billion in digital assets between blockchains, with total locked value of nearly $1 billion across the whole network, of which the white hat hackers transferred approximately $610 million of the most valuable digital assets to three addresses controlled by the hackers on Ethereum, Binance Smart Chain and Polygon.[2]

After the attack, the Poly's team asked exchanges and miners to be aware of the flow of stolen tokens and called for the hacker's transactions to be stopped, Tether froze $33 million worth of USDT. In an open letter on Twitter, the Poly team wanted to establish communication with the hackers and urge the hackers to return the stolen tokens. [citation needed]

The hackers announced on August 11, 2021 that they had been planning to return the tokens and the purpose of the theft was to reveal vulnerabilities and secure Poly Network. They posted a self Q&A to communicate with the public by embedding messages in transactions with their addresses. [3]

The hackers then required multi-signature addresses for transfer. Poly Network generated a collection address and started to recover the assets that were returned first on August 11. On August 13, the hackers returned assets worth $340 million and transferred the bulk of the rest to a multi-signature address jointly controlled by them and Poly Network.[4]

After receiving tokens, Poly Network started to address the hackers as "Mr. White Hat" and offered to reward them with a $500,000 bug bounty and the position of "chief security advisor" of Poly Network, as a strategy to ensure safe return of the rest affected assets.[5]. Poly Network's decision to refer to the hackers as "white hats" has angered some in the security world who are worried that it might set a precedent for criminal hackers to white-wash their actions. A white hat hacker Katie Paxton-Fear said that "labelling this hack as a white hat is really disappointing".[6] Charlie Steele, former Department of Justice and FBI official, thought "Private companies have no authority to promise immunity from criminal prosecution," and "in this event where a hacker stole the $600m 'for fun' and then returned most of it, all while remaining anonymous, is not likely to lessen regulators' concerns about the variety of risks posed by cryptocurrencies."[6]

The last of the hacked money was returned to Poly Network on August 25.[7][better source needed]

Aftermath

Poly Network launched the global bug bounty program on Immunefi. The program aims at encouraging more security agencies and white hat organizations to participate in the audit of Poly Network's core functions, especially to address potential security risks. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System — the rewards range up to $100,000 for critical vulnerabilities.[8]

References

  1. ^ "Poly Network Whitepaper" (PDF). Retrieved 2020-05-20.[non-primary source needed]
  2. ^ Ponciano, Jonathan. "More Than $600 Million Stolen In Ethereum And Other Cryptocurrencies—Marking One Of Crypto's Biggest Hacks Ever". Forbes. Retrieved 2021-12-04.
  3. ^ Russon, Mary-Ann (2021-08-11). "Cryptocurrency heist hacker returns $260m in funds". BBC. Retrieved 2021-08-11.
  4. ^ John, Alun (2021-08-14). "Crypto platform Poly Network rewards hacker with $500,000 'bug bounty'". Reuters. Retrieved 2021-08-14.
  5. ^ "White hat' hacker behind $610m crypto heist returns most of money". The Guardian. Retrieved 2021-08-13.
  6. ^ a b Tidy, Joe (2021-08-13). "Crypto hacker offered reward after $600m heist". BBC. Retrieved 2021-08-13.
  7. ^ Ghosh, Monika (2021-08-24). "Poly Network hackers return remaining stolen assets". Forkast.News. Retrieved 2021-08-24.
  8. ^ "Poly Network Joins Immunefi With $100,000 Bug Bounty After Hack". Retrieved 2021-08-17.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Poly_Network_exploit&oldid=1092386140"