Poly Network theft incident again cited DeFi security dispute supervision or put it on the agenda?

On August 10, Poly Network, a cross-chain interoperability protocol, was attacked by hackers. Poly Network tweeted that after preliminary investigation, the cause of the vulnerability has been found. The hacker exploited a loophole between the contract calls, and the attack was not caused by a single custodian as rumored. At the same time, Poly Network also released a letter to the attacker. Poly Network said it hopes to establish communication and urges attackers to return hacked assets. The amount hacked this time is the largest in Defi history. The law enforcement agencies of any country will treat this as a major economic crime, the attacker will be hunted down, and it is very unwise to conduct any transactions. The stolen funds came from tens of thousands of crypto community members. It is hoped that the attacker will talk to the Poly Network team to develop a solution.

dountL5vgeOcQuzhmcbmssF067BJqNbshAxHaJKL.pngThe SlowMist team reviewed the details of the attack and pointed out that it was mainly due to contract vulnerabilities. This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function. Therefore, the attacker uses this function to pass in carefully constructed data to modify the address specified by the attacker by the keeper of the EthCrossChainData contract. It is not the case that this event occurred due to the leakage of the keeper’s private key.

Then the SlowMist team gave a detailed description:

1. The core of this attack is that the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute specific cross-chain transactions through the _executeCrossChainTx function.

2. Since the owner of the EthCrossChainData contract is the EthCrossChainManager contract, the EthCrossChainManager contract can modify the keeper of the contract by calling the putCurEpochConPubKeyBytes function of the EthCrossChainData contract.

3. The verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute user-specified cross-chain transactions by internally calling the _executeCrossChainTx function, so the attacker only needs to pass in carefully constructed data through the verifyHeaderAndExecuteTx function to make the _executeCrossChainTx function execute the PutCurEpo function that calls the EthCrossubChainData contract. Change the keeper role to the address specified by the attacker.

4. After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.

It is worth noting that the amount hacked this time is the largest in DeFi history, with a total of over US$610 million transferred to 3 addresses. Affected by this, large assets of O3 Swap cross-chain pool were transferred out. At present, the security team found that the hacker’s initial source of funds was Monero (XMR), and then changed to BNB/ETH/MATIC and other currencies on the exchange and withdrew the coins to 3 addresses, and soon after Attack on the chain. Combining the flow of funds and multiple fingerprint information can be found, this is likely to be a long-planned, organized and prepared attack.

After the incident, Tether has frozen 33 million USDT on the address of the Poly Network attacker. As of press time, the attacker also responded that if I transfer the remaining coins, it will be a billion-dollar attack. Did I just save this project? I am not very interested in money, and now consider returning some tokens or leaving them here. Then the attacker also said, what if I make a new token and let the DAO decide where the token will go?


As the incident unfolded, on August 11, the hacker who attacked Poly Network stated in the transfer at block height 13001631 that he had decided to return the assets and no longer create a DAO organization. At the same time, in the description, the hacker calls himself a legend.

Although the hacker has decided to return the assets, discussions about DeFi security continue. In fact, with the explosive development of DeFi, related security incidents are frequent, and cross-chain attacks are not rare. Prior to this, Rari Capital lost $15 million in cross-chain attacks. Some analysts pointed out that the interoperability between DeFi protocols has become more and more complex, and related attack vectors are increasing, and related attacks are expected to increase.

Jesse, VP of Roxe payment network technology, pointed out that DeFi is originally a dark forest. Many people with ulterior motives have been watching secretly. Even after some vulnerabilities are discovered, attackers are just waiting for more suitable opportunities, not necessarily eager to take action. Just like the incubation period of the virus, waiting for greater opportunities for benefits, there must be many unknown loopholes, but they have not yet broken out.

Some market voices worry that if DeFi security cannot be handled properly, it may undermine the confidence of the industry. Of course, on the other hand, it may accelerate the global supervision of the industry. Roxe payment network technology VP Jesse said that in the long run, supervision is necessary. As the blockchain industry continues to mature, countries will definitely strengthen supervision, which is also a sign of industry maturity. In addition to the so-called pleasure of freedom brought about by unsupervised chaos in the early days, it will be used by a small number of underground organizations in the future, thus harming the interests of the public. Although sometimes we do not like government supervision, the positive significance of such supervision is far greater than the negative significance.

In this context, how should ordinary investors protect their property?

Roxe payment network technology VP Jesse pointed out that one of the big problems of the blockchain is that it is not close to the people, and it is difficult for people who have not contacted it to understand, which makes the blockchain a niche game. Security seems to be in control of their own assets, but it requires each user to become a security expert and face hacker attacks from the dark at any time. The problem is that the public does not have enough ability to identify and protect themselves. In many cases, they can only rely on the audit of security companies, but this is not 100% safe. Compared with traditional industries, DeFi is still very young, and many things are not perfect, and cannot provide good security guarantees like banks endorsed by the government. The biggest advantage of DeFi is trust, but this trust is based on the code, and the security of the code cannot be effectively screened by the public. Hacking attacks originate from the huge asymmetry of knowledge, which also causes the security of DeFi to be not a yes or no Simple question of no. For DeFi investors, at present, they can only protect their private keys, not leaking them, and preventing them from being lost. In addition, identify good projects and audited contracts as much as possible.

Bitpie also suggested in related Weibo that multiple addresses should be used to participate in DeFi, and different DeFi and different assets should be distinguished by different addresses, so that even if a certain DeFi project is dangerous, it will not affect your other assets. At the same time, the authorization of the wallet address should be checked regularly, and the authorization should be recovered in time for items that are not frequently operated.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/poly-network-theft-incident-again-cited-defi-security-dispute-supervision-or-put-it-on-the-agenda/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Leave a Reply