Poly Network Hack: A Breakdown of the Attack and the Response from the Crypto Community

Poly Network, a cross-chain bridge platform, was recently hacked, resulting in the manipulation of a smart contract function. The attack allowed hackers to issue billions of tokens across multiple blockchains, including Ethereum, BNB Chain, Polygon, and more.

#PeckShieldAlert @PolyNetwork2 exploiter has transferred more than $5M worth of cryptos out on #Ethereum, #BNBChain, and #Polygon, especially 1.5K $ETH ($2.88M) to 0x23f4…c671, 440 $ETH ($844K) to 0xc8Ab…C42F, and 300 $ETH (~$575K) to 0xfD3E…b778https://t.co/EbYdTo3xIg… pic.twitter.com/I5Lg9UJ0eU
— PeckShieldAlert (@PeckShieldAlert) July 2, 2023

Attack Details

The exploit was carried out by manipulating a smart contract vulnerability that allowed the hacker to craft a malicious parameter, bypassing the verification process.

Getting to the bottom of the "34 billion" Poly network hack with a technical postmortem.

TL ; DR

Poly network had a simple 3 of 4 multisig arrangement over 2 years!

Looking at the final event we found that the private keys to the addresses marked were compromised. pic.twitter.com/Y0eMJXcYso
— Dedaub (@dedaub) July 2, 2023

This enabled the hacker to issue tokens from Poly Network’s Ethereum pool to their own addresses on various chains, accumulating a substantial token stash.

Poly Network got rekt again; allegedly because of compromised hot keys.

It's going to keep happening untill our industry changes our approach to security.

Smart contract audits only scratch the surface.

ps Poly network has NOTHING to do with Polygon. https://t.co/n1qI48b4Kb
— Mudit Gupta (@Mudit__Gupta) July 2, 2023

Affected Assets

A total of 57 crypto assets on 10 blockchains were impacted by the attack, although the exact amount stolen has not been disclosed. Reports suggest that at least $5 million worth of crypto has been transferred out by the exploiter.

Poly Network’s Response

The team at Poly Network has initiated communication with centralized exchanges and law enforcement agencies, seeking their assistance in addressing the situation.

They have also advised liquidity withdrawal and unlocking of liquidity provider tokens for project teams and tokenholders.

Vulnerability Analysis

Security experts have identified weaknesses in Poly Network’s multisig protocol, highlighting a simple “3 of 4” multisignature arrangement that was compromised. The attack did not exploit logic bugs but rather exposed the compromised private keys of certain addresses.

Impact and Reassurance

The seven-hour response time from Poly Network allowed the hacker to steal approximately $5.5 million in crypto. However, due to the lack of liquidity in many of the affected tokens, further losses were prevented.

Binance CEO Changpeng Zhao has reassured users that the incident does not impact Binance customers, as the network does not support deposits from Poly Network.

TagsCrypto

James Wilson

James Wilson is a crypto writer and researcher with over 5 years of experience in the industry. He is a graduate of the University of California, Berkeley, where he studied computer science and economics. After graduating, he worked as a software engineer at a major tech company before transitioning to a career in crypto.