Further details are coming to light following a July 2 attack on cross-chain bridge platform Poly Network, which has resulted in a hacker being able to issue billions of tokens out of thin air for profit.
In a July 2 Twitter post, Poly Network confirmed it became the latest DeFi exploit victim after attackers managed to manipulate a smart contract function on the cross-chain bridge protocol, adding it will be temporarily suspending services.
It did not specify how much was stolen in the attack but Peckshield earlier reported that the exploiter had transferred at least $5 million worth of crypto out.
“We have already initiated communication with centralized exchanges and law enforcement agencies and sought their assistance,” the team stated in a July 3 update.
It also advised project teams and token holders to withdraw liquidity and unlock their LP (liquidity provider) tokens.
’34 billion’ Poly Network hack breakdown
DeFi security analyst @0xArhat said the exploit was a result of a smart contract vulnerability that allowed the hacker to “craft a malicious parameter containing a fake validator signature and block header.”
This was accepted by the smart contract enabling the hacker to bypass the verification process allowing them to issue tokens from Poly Network’s Ethereum pool to their own address on other chains, such as Metis, BNB Chain, and Polygon.
The process was repeated for other chains enabling the token stash to pile up.
At one point the hacker’s wallet held around $42 billion worth of tokens but was only able to convert and steal a fraction of them, said the analyst.
“This way, the hacker was able to mint billions of tokens on various blockchains that did not exist before and transfer them to their own wallet addresses.”
The latest Poly Network exploit has been dubbed by blockchain security solutions provider Dedaub as the “34 billion Poly Network hack.”
Getting to the bottom of the “34 billion” Poly network hack with a technical postmortem.
TL ; DR
Poly network had a simple 3 of 4 multisig arrangement over 2 years!
Looking at the final event we found that the private keys to the addresses marked were compromised. pic.twitter.com/Y0eMJXcYso
— Dedaub (@dedaub) July 2, 2023
Dedaub noted weaknesses in the protocol’s multi-sig stating that it had a simple “3 of 4” multi-signature arrangement over two years, adding:
“Looking at the final event we found that the private keys to the addresses marked were compromised.”
Dedaub explained that the attack wasn’t complex as no logic bugs were exploited. It added that Poly Network was slow to respond taking seven hours which cost the platform $5.5 million in stolen crypto. Luckily, a lack of liquidity in many of the tokens prevented further losses.
Following the attack, Binance CEO, Changpeng Zhao reassured customers, stating that “This does not affect Binance users. We do not support deposits from this network.”
Poly Network got rekt again; allegedly because of compromised hot keys.
It’s going to keep happening untill our industry changes our approach to security.
Smart contract audits only scratch the surface.
ps Poly network has NOTHING to do with Polygon. https://t.co/n1qI48b4Kb
— Mudit Gupta (@Mudit__Gupta) July 2, 2023
Cointelegraph reached out to Poly Network for further details but did not hear back by the time of publication.
The Poly Network was attacked once before in one of the industry’s largest exploits in August 2021 when hackers, later revealed to be linked with North Korean hacking collective the Lazarus Group, made off with over $600 million.