Topic: Poly Network Hack Clarification (Read 156 times)

The hacker who attacked the Poly Network inter-network protocol provided the key to the multisig wallet and returned the remaining $141 million from the stolen funds. In a comment on the transaction, the hacker explained the delay in the final payment by blocking the stolen USDT in the amount of about $33 million. And he also added that the problem of Tether is excessive centralization.

If I remember correctly the hacker ended up rejecting the bounty as well so he did not got any kind of profits from this, however if he is really a white hat hacker then he got exactly what he wanted, but if not then it is possible that he is going to try this kind of attack against another network and this time he is going to be way more careful and be able get away with that theft, anyway this should show us that such platforms are not secure enough yet and that you can lose your money really quickly if you leave your coins in those platforms.

In addition, the Hacker ID was identified by some security institutions which can be considered as a threat to the hacker in case he won't resend the money back to the platform. However, after returning the money, the hacker isn't forced to give details about the loophole in the system.

And as mentioned above, he can be the winner of the bug bounty additional to the 500k he got from Poly. Clever or lucky?

I do not really see how that can be said at all, the hack they were victims of by this hacker was massive and it just showed their incompetence and their lack of knowledge about their own technology, what kind of assurance they can give to their clients that this is not going to happen again when it is obvious they have been giving those assurances in the past and then this happened? If anything I am surprised they are still around after such a massive hack since it was the hacker that decided to return the funds and it was not because they could track him down and arrest him.

Yes it seems that the hacker got into a difficult situation due to the fact that his USDT is still blocked besides, as they say, he transferred funds to his wallet from an account on the exchange hoo.com which has KYC, unless it is a hacked account. https://twitter.com/luojeth/status/1425099729969483778 And now he reproaches the Poly team that his USDT is still blocked, and the hacker threatens to postpone the refund.

Is not crazy, first things you should know there is no easy to laundry the money he was stolen the reason is simple:
- The money is too big to be laundry even you are using mixing service still can get caught
- All exchange is blacklisted and market the address
- Some of the money "USDT" has been locked by Tether Foundation

Now, since he can't do anything about the money and If he tried the withdraw the money police, FBI or whatever gonna arrest him. It's better to refund the money, he got a reward 500,000 USD which is not really bad.

I have said that poly network confidence is high now, after they were cheated some time ago, and this triggered some hackers to break into to get the award, they will race against time as to whether this network is working well to secure its existing customers so they don't move.  other networks.

Now the developers of Poly Network themselves offer the hacker who stole $611 million from her the position of chief security adviser. The company called on him to continue to help contribute to the development of blockchain technology security. https://www.bloomberg.com/news/articles/2021-08-18/victim-of-major-defi-cyberattack-offers-its-hacker-a-job?sref=Y0jVLcFo

I read the Q&A from the hacker on the chain.

However, the points about hacking on bridge chain he was really on the points. I think bridge systems have a really high potential to get leaked or hacked, before poly network on my project "Chainport" a bridge service is also got hacked.

Not really more than 10M$ but based on this a bit worried about bridge service.

this proves that the poly network is very confident in their security at first, why am I talking like that because most people do security after the incident, they will carry out a bounty hunt after a big miss, they should have done it earlier so that this didn't happen, luckily it was returned.

The developers of Poly Network announced the launch of a bounty program to search for bugs in the main functions of the protocol. The purpose of the program is to prevent the repetition of exploits and eliminate possible vulnerabilities. Its launch is scheduled for August 17, and the scheme provides for a payment of up to $100,000 for each detected error with a total fund of $500,000.

This is a big question to ask. I've seen a couple of comments like "Not your keys, not your Crypto" and likening it to BitConnect or Mt. Gox. It's similar but with a big caveat, these types of attacks don't typically target users crypto in their wallet. Custodial exchange and centralized lending will often target users crypto just sitting in a spot wallet.

When you supply liquidity to a protocol on DeFi it is not your crypto. You're keys should still be able to authorize the withdrawal of that crypto or your wallet will have a receipt of supplying like cETH or LP tokens. You are still ultimately the custodian of your own crypto in DeFi

If you've been interacting with DeFi protocols, it is highly unlikely you will wake up to a drained Metamask after one of these hacks. You are too small of a fish for those types of attacks to target. You are more likely to have to fall for a phishing scam if that is the case.

Typically hacks like this target liquidity pools. Liquidity pools often have immense value in them. You may lose crypto you have deposited in a hacked pool or farm, but often times protocols come up with solutions to reimburse any lost crypto like PancakeBunny earlier this year that suffered a flash loan attack.

Poly Network holds large liquidity pools to facilitate cross chain transfers. Holding a lot of exit liquidity on each chain. The money that was hacked from this event is likely to have been stolen from those who have large amounts of liquidity staked. This is not likely to be you farming CAKE on PCS!

Cross Chain protocols are incredibly hard to code, and they should be treated with caution when supplying liquidity to them.




I want to keep this part simple for those not technically minded but there are currently two working theories as to how the hack took place. They both involve the private keys for the ownership of the liquidity pools.

🔑Theory 1: Leaked Key

Poly Network has a big security problem from the outset. They had a single sig key to the pools which means that only one signer would need to authorise any changes to the liquidity pool, including withdrawal of funds. This is like leaving a vault of gold with only one key. If you wanted to access this, there wouldn't be any other parties involved.

Current theories suggest that this key was leaked or hacked via another method off-chain. This is the story from early official post mortem from Poly Network

EDIT: This theory has been disproved by Poly Network, but I wrote it so I thought I'd leave it here as an example of an early working theory

🖋 Theory 2: Hacked Contracts

There are two important contracts. A "manager" contract and a "data" contract. The data contract specifies the address which can submit transactions which can withdraw funds from the pool. If someone was to replace this address in the contract to theirs, they could withdraw as much from the pools as possible.

In solidity there is a concept called ownership. A smart contract can set certain functions to only execute if the owner executed them. Typically, when constructed the owner is the wallet who deployed the contract, which is typically the developer. However, in this case the owner of the "Data" contract was the "Manager" contract.

So now, if you were to call a function which could replace the address in the data contract with theirs from the manager, it would be allowed.

But here's another flaw in the design of Poly Network. The "manager" contract exists to run transactions on different chains. It has a function called verifyHeaderAndExecuteTx which verifies that a transaction exists on one chain, and if it does, runs it on another. This is needed for cross chain interoperability.

But wait... we've now got a way to run arbitrary functions from the "manager". If the attacker devises a specific input they can now freely set the most important address, the one which says who can withdraw from the pools, to theirs.



NOTE: I don't own the content, I just want to share the beautiful explanation and analysis of Crypto Vigilante

Content Source: https://t.me/CryptoVigilanteANN/530