Hacker steals $600 million from Poly Network in biggest ever cryptocurrency hack
An unidentified hacker has stolen more than $600 million worth of cryptocurrency from Poly Network, a decentralized finance (DeFi) platform based in China.
According to its website, Poly Network provides users the ability to trade cryptocurrency assets across different blockchains. Under the hood, the Poly Network executes these transactions using scripts called "contracts."
On Thursday, August 10, an unidentified individual began moving funds from the Poly Network platform into cryptocurrency addresses under their control.
How the attack took place
"The hacker exploited a vulnerability, which is the _executeCrossChainTx function between contract calls," a Poly Network spokesperson told The Record in an email today.
"The attacker use[d] this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract," the company added, an attack that effectively allowed the intruder to declare themselves as the owner of any funds processed through the platform.
Using repeated calls to the attacked contract, the hacker was able to exfiltrate funds from the Poly Network and then transfer them to wallets under their control, identified by Poly admins as follows:
- BinanceSmartChain: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71
- Ethereum: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
- Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214
At the time of the hack, the Poly Network said the stolen funds were worth more than $600 million, making it the largest hack pulled off against a cryptocurrency trading platform to date.
Poly Network begs hacker to return stolen funds
Once the attack was discovered, Poly Network disclosed the incident to the public and asked for the help of the cryptocurrency community, begging mining platforms and exchanges to track the hacker's movements and freeze their accounts.
On Twitter, companies like Huobi, Tether, OKEx, and Binance said they managed to freeze some of the stolen assets, but only a small portion of the larger pot.
In the meantime, the Poly Network has published an open letter on its Twitter feed, asking the hacker to return the funds before the incident escalates.
While hackers have returned stolen funds to cryptocurrency platforms in the past to avoid prosecution, the company's letter was universally ridiculed for its naivety, becoming a trending topic on Twitter late last night.
August 10, 2021
At the time of writing, the hacker returned $250 million from the stolen funds, but it remains unclear if they will return the rest.
The hacker has also been using the comment field in Ethereum transactions to post public messages or engage in conversations with various individuals, revealing in one of these that the breach could have been much larger if they would have bothered to move the Poly Network's less popular altcoins.
The Poly Network told The Record they plan to update their users about the hack in the coming days via their Twitter account. It also confirmed the validity of an independent review of the hack posted by cryptocurrency security firm SlowMist.
Another Poly Network hack analysis is also available in the Twitter thread below:
Article updated shortly after publication to add that the hacker has returned a very small portion of the stolen funds.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.