In what appears to be the biggest attack in decentralized finance (DeFi), anonymous hackers used an exploit on cross-chain protocol Poly Network to remove more than $600 million from three chains.
Based on an August 10, 2021 update on Twitter, Poly Network confirmed that these attacks had removed assets from Ethereum, Binance Chain, and Polygon Network. Blockchain data acquired from the three networks indicate that the hackers stole nearly $273 million from Ethereum, $253 million from the Binance Smart Chain, and $85 million in USD Coin (USDC) from the Polygon network.
Poly Network also reported wrapped Ether (WETH), wrapped Bitcoin (WBTC), and renBTC were involved in this exploit, which used “a vulnerability between contract calls.”
SlowMist, a Chinese cybersecurity company, published an update briefly after news of the hack broke, saying that its analysts had identified the attacker’s IP address, email address, and device fingerprint, but did not reveal the information. The firm called the hack “a long-planned, organized and prepared attack.”
Interestingly, SlowMist said that it used data provided by the Hoo exchange and other companies to determine that the hacker’s source of funds was in Monero (XMR). The XMR was changed to Ether (ETH), Binance Coin (BNB), and MATIC. SlowMist stated:
“Combined with the flow of funds and multiple fingerprint information, it can be found that this is likely to be a long-planned, organized, and prepared attack.”
The same hacker is believed to have posted three strange messages via transaction records on Ethereum. Based on data acquired from Etherscan, they are now considering returning some of the stolen money after failing to move some of the tokens.
They appeared to be asking the community for help in laundering all these digital assets via Tornado tumbling service, and proposed the DAO must decide where the tokens will go:
“It would have been a billion hack if I had moved remaining shitcoins! Did I just save the project? Not so interested in money, now considering returning some tokens or just leaving them there.”
Figures from decentralized finance and the cryptocurrency sector also stepped up to provide some support and assistance. Jay Hao, OKEx CEO, said that the exchange’s team of experts was keenly “watching the flow of coins and would try to manage the situation.”
Tether CTO Paolo Ardoino confirmed that the project managed to freeze nearly $33 million in Tether (USDT) from one of the affected addresses. On the other hand, Binance CEO Changpeng Zhao said that the crypto exchange was coordinating with security partners to proactively help to mitigate the impact of that hack.
Launched in 2021, Poly Network is a collaborative project from Neo, Ontology, and Switcheo to create a “heterogeneous interoperability protocol alliance,” linking the blockchains into the bigger cross-chain ecosystem. The protocol enables the users to swap tokens across various blockchains.