The hackers who “get lost” and the security concerns of blockchain

As of 12:59 on August 11, the O3 fund pool stolen incident on Poly Network, after continuous fermentation, seems to have the final result.

The hacker used the attacking address to send the transaction “self to myself”, and said “I NEED A SECURED MULTISIG WALLET FROM YOU” in the information attached to the transaction.


Poly Network then replied: “We are preparing a multi-sig address controlled by known Poly addresses” and replied to the acceptance addresses of the three chains of Ethereum, BSC, and Polygon after 50 minutes. They are:

ETH: 0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f

BSC: 0xEEBb0c4a5017bEd8079B88F35528eF2c722b31fc

Polygon: 0xA4b291Ed1220310d3120f515B5B7AccaecD66F17

This long communication experience was about 15 hours. The first time I tried to communicate, Poly Network tried to get the communication and left a communication mailbox. After 2 hours, I continued to communicate and stated that if the assets were returned, they would be given security rewards for the discovery of security vulnerabilities this time.

Then the hacker stated in the attack address that a DAO might be established to determine the flow of funds in the address.

Poly Network replied again that the establishment of DAO will not change the fact that funds were stolen. If the assets are returned, hackers will be provided with security bounties, and this will also be remembered as the largest amount of “white hat” hacking incident in history.

Then came the release of the key news that the hacker stated that he was a legend and would return the assets.

White hat hackers refer to justice hackers. The mainstay of many security companies in the blockchain circle comes from white hats.

Perhaps the hackers involved this time are really not interested in money as they say.

At around 5 pm, the Polygon address announced by Poly received 1.01 million USDC. Before publishing, other addresses have not yet transferred assets.

However, as blockchain practitioners and users, in the face of an attack, there is a small probability that they will get a good death, and a high probability will affect the security of the project and user assets.

After the security incident, in the comments of the incident, there was a very ironic comment “Tell a joke, the blockchain is safe.”

The layman looks at the excitement, the insider looks at the doorway.

The security of the blockchain is a relative concept, not an absolute concept.

With the lure of huge profits, unregulated cryptocurrency, and immature contract design, it is not surprising that contract vulnerabilities in the cryptocurrency network are used as hacked cash machines.

In the traditional financial field, security lies not only in software, but also in process protection. But when the entire process is automatically executed through smart contracts, multiple loopholes will appear.

The biggest guarantee becomes the design practice of code correctness and safety cases.

The problem with Poly this time is that the hacker can control the authority to manage account transfers in the fund pool. When the transfer address is changed to the hacker’s own address, as long as the virtual data transfer transaction is sent to the contract, the assets in the fund pool will be changed. Was transferred out smoothly.

This vulnerability is mainly because some contracts are designed to accept certain data and perform actions, but there are multiple factors that can perform this action, and one factor vulnerability is exploited by hackers to hijack “privileges.”

There is also a framework for understanding such events.

Among them, it is divided into chain security and contract security.

A public chain must first ensure the security of the chain, that is, the security of the general ledger and the security of transaction packaging. Then there is the security of contract execution.

The security of software depends on the maturity of the developer’s code. As the saying goes, there is no absolutely safe system, only developers with mixed good and bad.

The security of the chain means that the consensus algorithm design on the chain and the writing of the basic protocol must not have loopholes. Secondly, there is no problem with the contract executed by the basic protocol. There are obvious loopholes in the issuance of additional tokens, which are very likely to be exploited to issue additional tokens.

The security of the chain is mainly guaranteed by consensus. Bitcoin uses Satoshi Nakamoto consensus, Ethereum uses Ethash, and Polkadot uses NPOS. The guarantee is that the general ledger cannot be tampered with. Contract security can only consider its design issues and coding maturity.

Therefore, contract designers and developers must strictly design contracts and check contract design loopholes, code programming loopholes, design logic, and possible problems in business scenarios.

Here, we still use the idea of ​​contract audit again to provide you with ideas for understanding contract security.

After the security audit team obtains the audit requirements, it will first use the team’s internal security audit tool, but the tool is an aid, and then conduct a manual audit. This process will audit the regular vulnerabilities according to the audit list.

Then conduct business audits, including what business scenarios, business scales, and business logic are included. Then what is the description of the business? See if there is any inconsistency in the code with the description function, whether it will be sacked, whether the token is locked, whether the permission is set incorrectly, whether there will be additional issuance or unlimited minting, etc.

But after these processes are completed, as mentioned above, the security of the code depends on the maturity of code writing, and different developers have different judgments on the contract due to their experience, plus the particularity of smart contracts and the complexity of DeFi business logic. The code audit must be cross-audited and mutually reviewed.

Just like the problem of Poly’s Ethereum contract, there is no problem in the subsequent process of the contract, but from the hacker’s point of view, some data forgery in front of the contract process controls the authority to transfer the contract. It is also a roundabout way to break through.

Or because Poly is a cross-chain system, the problematic part can be called the cross-chain contract interaction part, which also represents the practice of cross-chain cases, which requires more rigorous logic.

From the perspective of the design of smart contracts, most of the problems with DeFi contracts are in asset transfer, price calculation, and authority control. Therefore, developers in these areas need to start to extend upward and find possible weak links in this path. Guard against.

Fortunately for Poly this time, hackers can return the assets, although a small part of it is currently returned, we are still waiting for more asset transfers. The news I got from Poly is that the contract is currently being upgraded, and the highest priority goal is to recover user assets, and other details will be announced later.


Judging from the news released by the hackers, it seems that the hackers have accepted the security bounty proposed by Poly, and hope that in this game, the two sides can quickly end the mutual pull. As Poly said, make this security incident the largest white hat hacking incident in history.


Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Leave a Reply