Further Details on the July 2 Attack on Poly Network
More information has emerged regarding the attack on cross-chain bridge platform Poly Network that occurred on July 2. The hacker managed to issue billions of tokens without any actual value, enabling them to profit from the exploit.
In a tweet on July 2, Poly Network confirmed that it had become the latest victim of a decentralized finance (DeFi) exploit. The attackers manipulated a smart contract function on the cross-chain bridge protocol, leading to the temporary suspension of services.
Scope of the Exploit
The recent update from the Poly Network team reveals that the exploit affected 57 crypto assets across 10 blockchains, including Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKX, and Metis.
The exact amount stolen during the attack has not been specified by the Poly Network team. However, reports from PeckShield suggest that the exploiter transferred at least $5 million worth of crypto. Another report from CertiK estimates that the attack led to around $10 million worth of crypto being collected across five externally owned addresses.
The Poly Network team is taking measures to address the situation. In a July 3 update, they stated that they have initiated communication with centralized exchanges and law enforcement agencies and sought their assistance. The team also advised project teams and tokenholders to withdraw liquidity and unlock their liquidity provider tokens.
The Hack Breakdown: How $34 Billion Was Exploited
DeFi security analyst Arhat shed light on how the exploit unfolded. The hacker exploited a smart contract vulnerability that allowed them to craft a malicious parameter containing a fake validator signature and block header. This crafty manipulation was accepted by the smart contract, bypassing the verification process.
By doing so, the hacker issued tokens from Poly Network’s Ethereum pool to their own address on other chains like Metis, BNB Chain, and Polygon. They repeated this process for other chains, accumulating a stash of tokens.
At one point, the hacker’s wallet held around $42 billion worth of tokens. However, they were only able to convert and steal a fraction of this amount, as stated by the analyst.
Blockchain security solutions provider Dedaub labeled this Poly Network exploit as the “34 billion Poly Network hack.” Dedaub identified weaknesses in the protocol’s multisig, noting a simple “3 of 4” multisignature arrangement over two years. They also found that the private keys to the addresses marked were compromised.
Dedaub clarified that the attack was not complex and that no logic bugs were exploited. Poly Network’s slow response time of seven hours cost the platform $5.5 million in stolen crypto. Fortunately, a lack of liquidity in many of the tokens prevented further losses.
Binance CEO’s Reassurance
Following the attack, Changpeng Zhao, the CEO of Binance, reassured customers, stating that “This does not affect Binance users. We do not support deposits from this network.”