Hackers collect $610 million on Poly Network to perform fancy DeFi withdrawals online

On August 10, the heterogeneous cross-chain protocol Poly Network was attacked and the loss reached 610 million US dollars, including 2,857 ETH, 96.3 million USDC, 26,000 WETH, 1,000 WBTC, 33.4 million USDT, 259 billion SHIB, 14 renBTC, 673,000 DAI and 43,000 UNI will be transferred to Ethereum, 6,600 BNB, 87.6 million USDC, 26,600 ETH, 1,000BTCb, 32.1 million BUSD will be transferred to BSC, and 85 million USDC will be transferred to Polygon.

Hackers collect 0 million on Poly Network to perform fancy DeFi withdrawals online

PeckShield located and analyzed for the first time and found that the attack originated from a contract vulnerability.

It is understood that Poly Network is a cross-chain organization co-sponsored by Xiaoyi Neo, Ontology, and Switcheo Foundation as founding members, and Distributed Technology as the technology provider.

How can hackers grab 610 million US dollars?

PeckShield briefly describes the attack process:

Hackers collect 0 million on Poly Network to perform fancy DeFi withdrawals online

There is a privileged contract EthCrossChainManager in Poly Network, this contract is mainly used to trigger information from other chains.

In a cross-chain transaction, anyone can call verifyHeaderAndExecuteTx to execute a cross-chain transaction. This function has three main functions: one is to verify whether the block header is correct by checking the signature, and the other is to use the Merkel tree to verify whether the transaction is included in the transaction. In this block, the third is to call the function _executeCrossChainTx, which is the target contract.

This attack originated from the fact that the Poly Network allowed to call the target contract, but in the process, there was no restriction on the user to call the EthCrossChainData contract, which can track the list of public keys from data on other chains, even if the public key is not stolen. If you have already obtained the permission to modify the public key list, then you only need to set the public key to match your private key, and you can basically go unimpeded.

Since the user can deceive the EthCrossChainManager contract to call the EthCrossChainData contract by sending a cross-chain request to fool the verification of onlyOwner, at this time, the user only needs to fabricate a correct data to trigger the function of modifying the public key.

Hackers collect 0 million on Poly Network to perform fancy DeFi withdrawals online

Next, the attacker is only one step away from success. Poly Network’s contract allows to call any contract, but it only calls the contract function corresponding to the signature hash, as shown in contract C above. 

Hackers perform fancy DeFi online withdrawals

At 20:38 PM on the evening of August 10th, Poly Network officials announced the attack on Twitter and stated that in order to recover the stolen assets, Poly Network will take legal action, urging hackers to repay the money as soon as possible, hoping that miners on the relevant chain And major exchanges reached out for assistance to jointly prevent transactions initiated by hacker addresses.

Centralized agencies and security agencies work together to try to prevent hackers from laundering money. Among them, Tether, the issuer of the stable currency USDT, responded extremely quickly and directly froze 33 million USDT in the hacker’s Ethereum address.

Although many parties have actively participated in the containment of hackers, hackers are still mixing currencies quickly through various fancy DeFi games. From this point, it can also be seen that the attacker is a high-level DeFi player.

According to PeckShield tracking, he first used Curve to add 96 million USDC/673,000 DAI liquidity on Ethereum, and then used Curve forked project Ellipsis Finance to add 87 million USDC/32 million BUSD liquidity on BSC; soon, the attacker Remove the liquidity in Curve and convert all to DAI to prevent freezing.

Annual Drama: People who eat melons frequently recruit hackers to return stolen assets

On the one hand, Poly Network is actively talking to hackers in an attempt to recover the stolen assets; on the other hand, the crowd of people who “see the excitement is not too big for the hackers” gave the hackers a trick: “Don’t use your USDT, you have been It’s blacklisted.” and received a gift of 13.5 ETH (worth US$43,000) from hackers. Seeing that it is profitable, the people who eat melons are more and more actively making suggestions for hackers. What’s more, they will leave a message on some feasible currency mixing measures for hackers. , In exchange for what seems to be an extremely impressive return.

Just when the related parties had nowhere to go, the hacker left a message in the block height 13001578 and the block height 13001573 that he was ready to return part of the assets. A few hours after Poly Network provided the multi-signature wallet, PeckShield tracked that hackers began to return part of the USDC on Polygon, and PeckShield will continue to monitor and track the circulation of related assets.

Hackers collect 0 million on Poly Network to perform fancy DeFi withdrawals online

According to PeckShield statistics, as of now, the cross-chain bridge security incidents that occurred in the third quarter of 2021 have caused a total loss of more than 640 million U.S. dollars, accounting for 44.5% of the total loss.

Hackers collect 0 million on Poly Network to perform fancy DeFi withdrawals online

Why are cross-chain bridges frequently attacked?

PeckShield observed that the emerging field of cross-chain protocols has broken the barriers of isolated information islands between chains and still needs to withstand the test of time. As the ecology of cross-chain bridges has become more diversified and enriched recently, the amount of transactions and funds conducted on it has increased significantly. For example, the Poly Network that was attacked, the scale of cross-chain asset transfer has exceeded 10 billion U.S. dollars, more than 220,000 addresses use the cross-chain service, which also attracts hackers’ attention to cross-chain protocols. In addition, the cross-chain bridge itself is an important link for hackers’ funds to escape. Therefore, it will also become the target of hacker attacks.

Hackers collect 0 million on Poly Network to perform fancy DeFi withdrawals online

PeckShield recommends designing a certain risk control fuse mechanism and introducing threat perception intelligence and data situation intelligence services from third-party security companies. When a DeFi security incident occurs, it can respond to security risks as soon as possible, and promptly investigate and block security attacks to avoid Cause more losses; and we should link all parties in the industry to build a complete asset tracking mechanism to monitor the circulation of related virtual currencies in real time; it is also necessary to increase the importance of operation and maintenance security.


Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/hackers-collect-610-million-on-poly-network-to-perform-fancy-defi-withdrawals-online/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Leave a Reply