Poly Network hack is the biggest and crypto theft in recent times. What actually happened and why it was such a unique controversy?

Cryptocurrencies have been around for more than a decade now, and their popularity doesn't seem to die down anytime soon. From the famous tech billionaire Elon Musk to the NBA star Stephen Curry, cryptocurrency seems to have captured the interest of famous figures and millions of people from around the globe. Apart from the promise of high returns, cryptocurrency also offers safe transactions. Since the coins are built and recorded on decentralized blockchains, that means they are not controlled or regulated by one authority like a bank or government. Each transaction is made public, purely peer-to-peer, and must be verified.

Crypto hack

On one hand, such a system should make crypto coins and blockchains difficult to hack. But on the other hand, that doesn't necessarily mean that crypto coins are completely un-hackable and safe. In fact, several million-dollar crypto hacks have taken place in the last few years.

According to the US Federal Trade Commission, no less than 7,000 people have lost more than $80 million in crypto scams between October 2020 and March 2021 – a 1,000% increase from the previous year. Also, keep in mind that cryptocurrency is mostly unregulated, so there's simply no guarantee that the coins lost from cyber-attacks will be compensated.

Not only attacking crypto holders, blockchain hackers are also targeting crypto exchanges and businesses. One of the famous and more recent crypto heists is the Poly Network case, in which a group of hackers stole at least $613 million worth of digital coins from the company. It's even thought to be the biggest crypto hack in history, surpassing the $534.8 million of cryptocurrency stolen from the Japanese exchange Coincheck in 2018.

 

How was the Poly Network Hacked?

First of all, Poly Network is neither a crypto exchange nor a wallet. Instead, it is a cross-chain network that essentially allows two or more blockchains to "communicate with each other". To be more precise, it enables users to make transactions across different blockchains without having to convert the digital coins in an exchange. This China-based platform specifically sits on top of several blockchains including Bitcoin, Ethereum, Binance Smart Chain (from Binance exchange), Neo, and Elrond.

In a nutshell, Poly Network offers the following components:

  • A separate master wallet for each of the blockchain projects that it caters to, each of them containing a certain amount of coins.
  • A set of smart contracts that allow users to swap native tokens of one of the blockchains and more.
  • A blockchain layer called the Poly network where the smart contracts operate.

On August 10th, 2021, Poly Network reported that a group of attackers just hacked a smart contract of their network, transferring roughly $610 million (mostly in Ether, Binance Coin, and USDC) and moving them to external wallet addresses. According to the cybersecurity firm SlowMist and security researcher Kelvin Fichter, the hack was possible due to the mismanagement of the access rights between two vital Poly Network's smart contracts. The first one is EthCrossChainManager and the second one is EthCrossChainData.

The EthCrossChainData is an owner-limited contract that is not supposed to be accessed by anyone except the owners. That is because the contract is responsible for setting and managing a list of public keys of "authenticator nodes" (Keepers) that manage the wallets in the underlying liquidity chains. In other words, the main purpose of EthCrossChainData is to decide who has the right to move the funds contained in the wallet. Meanwhile, the EthCrossChainManager is another privileged contract that is able to trigger messages between the Poly Network and the Ethereum network.

The problem here is that the EthCrossChainManager governs the EthCrossChainData. So what happened was that the attacker basically hacked the EthCrossChainManager and made a cross-chain transaction from the Ethereum network to the Poly Network and targeted the EthCrossChainData. By doing this, they demanded to replace the Keeper's key with their own, which was granted by the EthCrossChainData since the EthCrossChainManager is the owner. Once the command is executed and the attacker was granted the status of the Keeper, they proceeded into using the key to transfer a huge amount of tokens to their own wallet.

 

The Aftermath

After the hack, Poly Network instructed all crypto miners and exchanges to blacklist the stolen funds, making them de facto unavailable for the hacker. But this is not an easy quest and it's unclear whether all exchanges agreed to do so. While that happens, the issuer of Tether managed to freeze the stolen Tether-USDC funds soon after the theft.

What's interesting about this case is that within the first 24-hours, an anonymous person claiming to be the hacker said they were "ready" to return the funds. They didn’t reveal their identity to the public, though. Poly Network then asked them to send the money to three crypto wallets. By the next day, the hacker returned the funds, but only $342 million or around half of the stolen amount. The remaining $268 million of assets were locked in an account that requires passwords from both Poly Network and the hacker to access.

The Aftermath

Poly Network then asked the hacker, whom they're calling "Mr. White Hat", to provide the password. Mr. White Hat is a reference to ethical hackers who look for vulnerabilities in systems. The firm even offered a $500,000 "bug bounty" to make the hacker send the money back. Such bounty is usually given to those who help report bugs to companies before they are disclosed to the general public. Not only that, Poly Network even offered them a job to be the company's chief security advisor. But eventually, the hacker turned down the offer and responded that they're going to give the keys once "everyone is ready".

A few days after, Poly Network said that Mr. White Hat finally shared the final piece and returned the last bit of funds. So, the funds have now been fully recovered. Poly Network stated that they're currently in the process of returning the full asset control to the users and improving the security system so that there won't be any similar incident in the future.

 

The Impacts on the Crypto Community

The Poly Network hack is a pretty unique case. Instead of taking the money and run, the attacker decided to stay in touch with the firm and even maintained a public conversation. They also ultimately returned the whole stolen assets. In this case, security experts might think that it happened because the attacker realized that it was difficult to launder the money and cash it out since the coins are publicly recorded on the blockchain.

However, the attacker seemed to disagree with the statement. They claimed that they just did it for fun and never intended to keep the money in the first place. In a message embedded in the crypto transaction, they said that they were "quitting the show" and admitted that their actions have caused a lot of discomforts, but it was their way to contribute to the security of the Poly Network. Although the consensus was reached after a series of pain and confusion, they successfully delivered the message loud and clear.

For the crypto community, the Poly Network case showed that there was a security loophole in the system. It also emphasized once again that blockchains are not entirely safe. There's always a chance that a security breach and hacking will take place, so additional security layers must be added to the system.

 

How to Store and Protect Your Crypto

To own crypto is to understand that it is risky and can be stolen. You can choose to keep your coins in the exchange that you used to purchase them, but remember to make sure that the exchange is reliable and uses strict security protocols. Before you register, it would be helpful to also check their track records and what plans they have to respond to security breaches. Some exchanges even have insurance policies to protect users' funds against hack and theft.

You can also keep your crypto coins in an external hot wallet or software-based platform. However, since hot wallets are online, your coins will still be vulnerable to hackers, so again, check the security measures that the platform is using. The best and perhaps safest possible place to store cryptocurrencies is in cold storage. This refers to offline wallet storage, often in a form of small devices like USB flash drives, printed papers, and uses private keys.

 

EndNote

From the Poly Network case, we've learned that the blockchain system is still not fully secure from online theft. Although it might look safe, there are loopholes that can be used and manipulated by crypto hackers.

The number of crypto scams and hack cases in the last few years has made it clear that there's an urgent need for improved security measures and secure transactions, especially now that crypto hacks have appeared in different methods. Thus, any crypto-related firm should think about this matter and build a safe environment for users.

 

That aside, it's worth noting that if you choose to invest in digital currency, you must be prepared for not only extreme volatility but also online security breaches. Always pay attention to the security of your funds, including where you store and keep them. Remember that cryptocurrency is still in its infancy right now, so if you plan to participate, do your research thoroughly and don't invest more than you can afford to lose.