Further details have emerged following a July 2 attack on cross-chain bridge platform Poly Network, which allowed a hacker to issue billions of tokens from scratch to profit-making purposes.
In a July 2 Twitter post, Poly Network confirmed it became the latest DeFi exploit victim after attackers successfully manipulated a smart contract function on the cross-chain bridge protocol, adding that it would temporarily suspend services.
In the latest update, the team revealed that the exploit affected 57 crypto assets across 10 blockchains, including Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKx, and others such as Metis.
He did not specify how much was stolen in the attack, but Peckshield earlier reported that the exploiter had transferred at least $5 million worth of crypto.
“We have already initiated communication with centralized exchanges and law enforcement and requested their assistance,” the team said in a July 3 update.
He also advised project teams and token holders to withdraw liquidity and unlock their LP (Liquidity Provider) tokens.
’34 Billion’ Breakdown of Poly Network Hack
DeFi Security Analyst @0xArhat said the exploit was the result of a smart contract vulnerability that allowed the hacker to “create a malicious parameter containing a fake validator signature and block header”.
This was accepted by the smart contract allowing the hacker to bypass the verification process allowing them to issue tokens from Poly Network’s Ethereum pool to their own address on other chains, such as Metis, BNB Chain, and Polygon.
The process was repeated for other chains allowing the pool of tokens to accumulate.
At one point, the hacker’s wallet contained around $42 billion in tokens, but was only able to convert and steal a fraction of it, the analyst said.
“This way, the hacker was able to mint billions of tokens on various blockchains that didn’t exist before and transfer them to their own wallet addresses.”
Poly Network’s latest exploit has been dubbed by blockchain security solution provider Dedaub a “34 billion Poly Network hack”.
Getting to the bottom of the Poly Network “34 billion” hack with a technical post-mortem.
TL; DR
The Poly network had a simple 3 of 4 multisig arrangement over 2 years!
Looking at the final event, we found that the private keys of the marked addresses were compromised. pic.twitter.com/Y0eMJXcYso
— Dedaub (@dedaub) July 2, 2023
Dedaub noted weaknesses in the protocol’s multi-sig indicating that he had a simple “3 of 4” multi-signature arrangement over two years, adding:
“Looking at the final event, we found that the private keys of the marked addresses were compromised.”
Dedaub explained that the attack was not complex because no logic bugs were exploited. He added that Poly Network was slow to respond taking seven hours which cost the platform $5.5 million in stolen crypto. Fortunately, a lack of liquidity in many tokens prevented further losses.
Related: Over $204 million lost to DeFi hacks and scams in Q2
Following the attack, Binance CEO Changpeng Zhao reassured customers, indicating that “This does not affect Binance users. We do not support repositories from this network.
Poly Network was again rekt; allegedly due to compromised shortcut keys.
This will continue until our industry changes its approach to security.
Smart contract audits only scratch the surface.
ps The Poly network has NOTHING to do with Polygon. https://t.co/n1qI48b4Kb
— Mudit Gupta (@Mudit__Gupta) July 2, 2023
Cointelegraph has contacted Poly Network for further details, but did not hear back at press time.
The Poly Network has already been attacked once in one of the industry’s biggest exploits in August 2021 when hackers, later revealed to be linked to North Korean hacking collective Lazarus Group, took away more than 600 million dollars.
Magazine: Tornado Cash 2.0: The Race to Build Safe and Legal Coin Mixers