Poly Network hacking case: Blockchain is safe but smart contracts are not

On Tuesday, Poly Network’s official Twitter said that the project was hacked and directly lost more than $600 million in crypto assets. This attack is by far the largest DeFi hacking attack, and the loss directly exceeds the sum of all DeFi hacking attacks in 2021. Earlier, Mentougou and Coinchek’s two sensational currency circles lost encrypted assets worth 400 million and 532 million U.S. dollars, respectively.

After receiving the attack, the cross-chain protocol Poly Network called on the crypto community, and even “white hat hackers”, to track hackers’ transfer of funds through the blockchain. In this hacking incident, the attacker took advantage of a technical vulnerability in the Poly Network, a blockchain cross-chain protocol. This attack involved three different blockchains, namely: Ethereum network, Binance Smart Chain (BSC) and Polygon. In the end, the hacker obtained the information needed to retrieve the private key of the owner of the cryptocurrency wallet and finally stole the assets on the chain.

“Vulnerability” Suspicion

Poly Network claimed that “tens of thousands of community members” were affected by the hacking incident.

Poly Network hacking case: Blockchain is safe but smart contracts are not

The Poly Network team said via Twitter that after preliminary investigation, we found the cause of the vulnerability. The hacker took advantage of the loopholes between the contract calls, and the loopholes were not caused by a single Keeper as rumored.

Nokenchain CEO Guillaume Thuill said in a youtube live broadcast, “It is obvious that the problem is that Poly Network only uses one wallet to handle all the business. There is even some form of account management mismanagement within its agreement. The The company put nearly 600 million U.S. dollars in tokens from three different blocks in an account, which is a mistake in itself. This is obviously a violation of financial security regulations in many regions.

Thuill also added, “We can even guess how the hacker managed to obtain the internal key of the account. He may have made an “exploitation” (using a flaw in the system editing instructions). This may be their smart contract (That is, a small program that automatically places an order, an action or information on the blockchain). According to their website, Poly Network has “crossed” 11 blockchains. Of course, this is a very powerful technology. But their level of risk control and security maintenance has not caught up with their cross-chain technology. Private keys are a big deal. Generally speaking, at each stage, there should be an interactive system for verification or confirmation.”

In order to save its reputation, Poly Network even posted a letter on Twitter to chat with hackers over the air: “Dear hacker (…) we want to get in touch with you and urge you to return the assets you hacked. Any country All authorities will treat your misconduct as a major economic crime and you will be prosecuted. (…) You should talk to us and try to find a solution.”

Why does the project party always turn to the crypto community for the first time?

This is a classic strategy. Under normal circumstances, the project team will immediately call for active community users to identify addresses and track funds to prevent the circulation of funds. Since everything is tracked on the blockchain, and community users often have direct interests with the project party, they will voluntarily and spontaneously carry out these tracking actions. The project party is equivalent to hiring a large number of “private detectives” for free. This is like a blacklist of bad addresses on the blockchain. Although simple, this method is actually very effective. The only problem is that hackers often put the criminal wallet into a “hibernation” state until the storm passes.

On Twitter, Poly Network directly announced the addresses used by hackers and called on holders of cryptocurrency wallets to be “blacklisted.”

This method has also been tried and tested in the case of the US operator Colonial Pipeline being hacked, and the company was required to pay a ransom to restore its computer system. But of the $4.4 million ransom paid to hackers, the US authorities stated that they recovered more than half of the ransom (approximately $2.3 million) simply by tracking the flow of these funds paid in cryptocurrencies on the blockchain.

Although the Poly Network project, like many new startups, is contributing to the thriving Defi ecosystem. But it does not necessarily mean that security issues can be ignored. Blockchain is secure, but obviously smart contracts based on blockchain are not.

Return the stolen money

Therefore, since the official announcement of the theft, both the project party, the security agency, all parties in the currency circle, and everyone in the currency circle have been paying attention to the latest progress of the Poly Network incident and doing their best to assist in freezing and recovering funds.

On the day of the attack, at 12 noon on August 10th, the hacker publicly stated that he would return all assets. Through the on-chain transaction remarks, he indicated that he was ready to return the stolen assets, but because he could not contact the Poly Network project party, he hoped that Poly Network would provide one. Multi-sign wallets. The hacker also said, “Acquiring so much wealth is already a legend, and saving the world is an eternal legend. I made the decision to stop using DAO.”

It may seem that the hacker “changes his mind”, but in fact it is only a trade-off of “risk is greater than the benefit of doing evil”. Within three hours after the attack, the SlowMist security team stated that through on-chain and off-chain tracking, the attacker’s mailbox, IP, and device fingerprints have been associated, and it is tracking possible identity clues related to the Poly Network attacker. And confirmed that this is likely to be a long-planned, organized and prepared attack.

Subsequently, the hacker’s repayment actions were successively recorded on the chain.

According to data tracked by PeckShield, the hacker who attacked the Poly Network returned nearly 120 million BUSD in block 9939700 on the BSC. BitTweet previously reported that on Tuesday, the Poly Network, a decentralized finance (DeFi) project, was stolen by hackers of more than $600 million in digital assets. This attack is by far the largest DeFi hacking attack, surpassing the sum of all DeFi hacking attacks in 2021. On Wednesday morning Eastern Time, the company tweeted that it had received assets returned by hackers with a total value of US$4,772,297.675, including ETH address: US$2,654,946.051; BSC address: US$1,107,870.815; Polygon address: US$1,009,480.809.

Although the funds have been returned, the negative news that a single hacker attack can transfer $600 million in assets may once again cast an irreversible shadow on the development of Defi.

According to the previous report of “Beijing”, according to CipherTrace data, by the end of April, the total amount of cryptocurrency theft, hacking and fraud has reached 432 million U.S. dollars. The company wrote in the report, “Compared with the past few years, this number seems to be small, but if we look at this data more carefully, a bad trend is forming: hackers in the decentralized finance (Defi) field. It now accounts for more than 60% of the total amount of hacking and theft.”

According to another report released by Chainalysis in February, cryptocurrency transactions used for illegal purposes reached 10 billion U.S. dollars in 2020, accounting for only 1% of the total cryptocurrency activity last year and 50% of the same period the year before.

Author: Chen Zou

 

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/poly-network-hacking-case-blockchain-is-safe-but-smart-contracts-are-not/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-08-12 12:25
Next 2021-08-12 12:26

Related articles