At least $611 million stolen in massive cross-chain hack

Cross-chain protocol Poly Network has been hacked for $611 million in the largest DeFi hack to date.

We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon,” tweeted Poly Network today, adding, “We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses.

Poly Network is a protocol for swapping tokens across multiple blockchains, including Bitcoin, Ethereum and Ontology. It was formed by an alliance between the teams behind multiple blockchain platforms, namely Neo, Ontology, and Switcheo.

According to The Block Research’s Igor Igamberdiev, the root cause of the hack was a cryptography issue — which is not usually the case. It may have been similar to the Anyswap exploit, which saw $7.9 million stolen due to a hacker reversing the private key.

The hack has also had wider implications. As a result of it, O3, a trading pool that uses Poly Network to trade tokens among different blockchains, has had to suspend its cross-chain functionality.

Following the money

The assets stolen were $273 million of Ethereum tokens, $253 million in tokens on Binance Smart Chain and $85 million in USDC on the Polygon network.

Since the theft, Tether has blacklisted the USDT on Ethereum that was stolen in the attack, roughly $33 million in tokens. That means they can no longer be moved. (USDT is a centralized stablecoin that can be frozen at will by the company behind it, similar to other stablecoins like USDC.)

Following the blacklisting, a crypto user sent a transaction to one of the addresses containing the stolen funds telling the hacker not to use USDT because it had been blacklisted. In response, the hacker sent 13.37 ETH ($42,000) to the user for the information.

After the hack, crypto exchange Binance CEO Changpeng Zhao tweeted, “We are aware of the [poly.network] exploit that occurred today. While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can.

Tracking down the attacker

Blockchain security firm SlowMist has sent out a news alert that says they have already tracked down the attacker’s ID. It claims to know their email address, IP information and device fingerprint. The firm said that the attacker’s original funds were in monero (XMR), which were exchanged for BNB, ETH and MATIC and other tokens that were used to fund the attack.

SlowMist said that this information was obtained through its partner Chinese crypto exchange Hoo, plus other exchanges. Other crypto users have claimed that the funds used for the attack originated on the Hoo exchange.

SlowMist CTO, who is known as “Blue,” told The Block, “We told [Poly Network/O3] that we have some information about the hacker, if they need we will share it to them.” He added that he’s hoping for a “happy ending” to the saga.

Further crypto sleuths have noticed that some of the hacker’s wallets show a lot of DeFi activity. They point out that the wallets have had many interactions with centralized exchanges, including FTX, Binance and OKEx, where the hacker may have undergone KYC measures.

The hacker then sent a transaction from one of the wallets containing the stolen funds back to the same wallet. It included a message that reads, “IT WOULD HAVE BEEN A BILLION HACK IF I HAD MOVED REMAINING SHITCOINS! DID I JUST SAVE THE PROJECT? NOT SO INTERESTED IN MONEY, NOW CONSIDERING RETURNING SOME TOKENS OR JUST LEAVING THEM HERE.”

Update: Further updates to the story have been added and the paragraph on cryptography has been clarified.

For more breaking stories like this, make sure to subscribe to The Block on Telegram.

© 2021 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.