The third day of the PolyNetwork case: $600 million was recovered in 52 hours. The hacker actively revealed his identity information. Shenyu wants to build a monument

Wu said author | Colin Wu

Editor of this issue | Colin Wu

On the evening of August 12, the hacker of PolyNetwork basically returned all the money, and the largest theft in DeFi history came to an end. The hacker also continued his self-narration, providing more information about the incident, and he even began to actively disclose a large amount of personal identity information (true or false is unknown). Let's continue to sort out the situation on the third day:

On the morning of August 12, the PolyNetwork hacker returned all the tokens on the Polygon chain, approximately 85 million.

PolyNetwork released a new tweet: It is undeniable that we are going through a difficult period, but we still want to remind all PolyNetwork users that our primary goal now is to fully restore user assets. The team has been working hard to achieve this goal. This happened. We look forward to Mr. White Hat returning all remaining user assets as he said, and we will continue to work hard to achieve this goal.

Subsequently, the PolyNetwork hacker responded to the outside world’s doubts:
Tell DeFi noobs: My initial attempt was to deposit Curve for the interest, which is benign and safe. I don't even want to cause an imbalance in the stable pool by exchanging. My plan is to hold CRV until I realize that withdrawing USDC is stupid, and then I have no choice but to convert them to DAI. It's clear and traceable, why launder money?
Why do you think I can't move funds? Because there's too much? TORNADO is powerful enough that I can move 100ETH every month, how do you identify cash flow? I made fun of them, but I never tried it.
In the DeFi world, code is law. So who is the arbitrator? We, the hackers, are the armed force. If you get weapons while anonymous and protect billions of people from the crowd, would you be a terrorist or Batman?
A word to security newbies: there is no perfect system. I don’t think you should blame the Poly team or their auditors. In my experience, it’s not easy to understand the entire logic of the Poly network system, and it’s even harder to find subtle errors. What I hope you know is, don’t bet your life on something you may never understand!

On the evening of August 12th, Beijing time, the PolyNetwork hacker returned 142 million US dollars on the Ethereum chain, including 1,032 WBTC and DAI. At nearly 12:00 on August 12th, Beijing time, the last 28,953 ETH of the PolyNetwork hacker was being refunded. According to calculations, except for the 30 million USDT frozen by Tether, all refunds have been basically completed. However, 230 million are in 3/4 of the multi-signature addresses of both parties.

PolyNetwork said it would reward hackers with $500,000 for "white hat behavior", but the hacker said: "A bounty was indeed offered, but I never responded to them. Instead, I would send all their money back."

In addition, the hacker said that now is the last token, ETH! However, I was scared for the first time! They are calling me Mr. 600 million, but the price of ETH has been falling recently. What if my balance cannot pay the debt? ETH please skyrocket!

I feel sorry for any innocent person who was affected by my adventure. I tried to avoid introducing any noise to the crypto world: no contact with shitcoins, no mass exchanges, no dumping of valuable assets. However, even the avengers have to face endless lawsuits from civilians. Seriously, I am considering using the limited bounty as a source of accidental victim compensation fund, but it is difficult to prove that your loss is my fault, especially when you have gambled beyond your means. Another embarrassing fact is that refugees have taken over my mailing list, and it is difficult to compete with them with your real story. Anyway, I will try to do something.

The hacker then announced his donation address and said it would become the main source of the fund.

F2Pool co-founder Shenyu said: (It was previously rumored in the market that Shenyu invested 100 million US dollars)

Since 19:30 the day before yesterday, 52 hours have passed. With the joint efforts and communication of multiple parties, the progress of the PolyNetwork security incident has been promoted. At present, the white hat hacker has returned all - 580 million US dollars, of which 33.43 million USDT was frozen by Tether, and 230 million USDT was in 3/4 of the multi-signature addresses of both parties, thus achieving phased results.
As a witness of this rescue incident, I would like to express my special thanks to the white hat hacker MR. 600 MILLION, SlowMist, Tether, PolyNetwork and dozens of other participants who quickly completed the vulnerability analysis through distributed collaboration, communicated in an orderly manner, and continuously promoted the progress of the incident. Next, we will continue to coordinate with all parties, complete the finishing work, and bring it to a successful conclusion.
This incident is a warning to all Defi participants, so we will build a monument in CV (should be the metaverse project Cryptovoxels) to commemorate this incident, thank all participants, and promote the safe development of the entire industry.

Shenyu then responded in the community: the matter has only achieved phased results, and there is still some distance to the full refund. First, there are 230 million US dollars still in the multi-signature address, and the project party and the white hat hacker need to work together. This multi-signature address is a 3/4 multi-signature. Currently, the project party and the white hat hacker each have two private keys, which means that the white hat hacker needs to agree to authorize before the money can be truly returned to the project party's address; second, there are also 33 million USDT currently frozen by Tether, which requires the project party and Tether to work together; third, the project party needs to fix the system loopholes and re-launch the pool before investors can successfully retrieve it. No matter how optimistic the estimate is, it will take a week.

Colin, editor-in-chief of Wu Blockchain, pointed out that the successful handling of this incident also prevented the DeFi industry from suffering a "catastrophe" similar to the early Mentougou. The hacker's behavior and speech are indeed more like the so-called "white hat" rather than a hacker who was coerced by location. The British police also cracked the BSC "magnet case" a few days ago, and more than 20 million US dollars were returned in full. All of this shows that with the development of the encryption industry, the balance of forces and struggles of different institutions has also made the industry more positive and stronger. (Head picture from Newsweek)

Attachment: The "talkative" hacker continued his self-narration in the fourth and fifth parts, including some process information, and actively revealed his identity information, the aforementioned content was in the previous article:

Q&A Part 4:

Q: Why did you choose CEX (maybe Tiger Token)? Rookie?

A: Whatever :)

The main challenge is to call some contracts from the Ontology network (my favorite part). You have to get some "gas" for the Ontology network, which is called "ONG".

However, it is not a DeFi tradable token. I can only find it on some Chinese CEXS. Why would you trade on a DEX if you have to go through a CEX? Why do you think I might leave a trace in DEXES?

Q: Why the refund? Coward?

A: Whatever :)

When you judge others, you don't define them, you define yourself.

I’ve been enjoying the things I care about most: hacking and mentoring.

There are very few hackers who can understand what is happening with DeFi security. Yes, you see a lot of hacks, but most of them are not as pleasant as real hacks. Some stupid code can lead to a lot of losses, but it is not challenging. It's like fighting against teenagers.

I admit that Poly Hack is not as fancy as you might think, but I did learn something new from this project. I would say that finding out the blind spots in the Poly network architecture will be one of the best moments of my life.

With the development of the crypto world, I have enough money. I have been exploring the meaning of life. I hope my life can be composed of unique adventures, so I like to learn and hack everything to fight against fate. SEIN ZUM TODE.

Honestly, I did have some selfish motivations to do something cool, but not harmful, like the DAO idea, by leveraging huge funds. Then I realized that being an ethical leader would be the coolest skill I could save! Cheers!

Q&A Part 5

Q: Why AMA? Your confession?

A: It's more like a journal. Something I'm proud of.

Q: Rubbish English?

A: Not a native speaker. (Identity revealed) I just expressed my true feelings without polishing. Typing while holding down the "Shift" key is not easy.

Q: Black hat or white hat?

A: I also enjoy judging others' superiority, but it is by no means easy. Not only legal goodies can be white hats. The so-called black hat can also be a good person. People are changeable. Have you heard of grayscale?

Q: Shouldn’t white hats just notify the developers?

A: Read P1Q1234. DEFI is a dark forest, hundreds of projects run away every year. I don’t trust anyone.

Q: Why did you hide in the beginning?

A: Even if you are legal, you can be in danger for any reason. Security people do care about safety.

Q: Why do you need to explain so much?

A: Read P4Q2. The mentoring part means a lot to me. I want to share how I overcame my arrogance and greed. I think the mental challenge is no easier than the hacking part.

Honestly, I was so excited when EXPOLIT worked that I almost forgot about the original plan because there were so many guesses and it was unexpected (see P2Q1). The first message (see P3Q1) sparked my interest in doing something creative. I spent some time looking for interesting but reasonable ideas from my message list.

I was (still) very confident in my hiding, so I thought I could handle this game as long as I didn't cause unbearable losses. Later I began to calm down, because of those refugees. Yes, I realized that even temporarily taking over the money was still an unforgivable joke, it would cause too much pain.

For the "billion shitcoins" joke, I meant the headline was probably more eye-catching, but the outcome was the same: I'm not dumping shitcoins. That turned out to be a terrible joke. For the "DAO" joke, I asked the community how and when to refund. That was an irresponsible joke.

I am not scared at all by exposure or money laundering issues (read my rookie lessons). I just realized that I should be cautious because my decision will change many people's lives! If I leave the tokens there and quit the game, I can enjoy life as a millionaire and continue my quest as usual, but thousands of people will lose control of their own destiny. This goes against my personal philosophy (see P4Q2).

I quickly wrote an email to POLY with a signed ETH transaction from an anonymous email address. If they received the email, they would be able to broadcast transactions through my address. This was not a wise move because I could not broadcast any new messages before them. That email must have been lost and I did not get a confirmation from ETH, but I waited for several hours because of this error.

The next part of the story is something you already know. I stopped playing and returned the money as I had planned.

Q: You were not exposed, but they had clues, so you were scared!

A: I am more confident than anyone else.

I am a well-known hacker in the real world (revealed identity 2). I work in the security industry and have devoted myself to the hacking profession since I was a child (revealed identity 3). Seriously, as security researchers, our job is to save the hidden world.

I know security consulting is a tough job and reputation means a lot. I don't mind security teams making ads based on my incidents, especially when it helps them. Raising concerns about security is also the mission of our careers.

If any hacker can find my social identity within a month, I want to send him my personal gift. Otherwise, I may or may not reveal another clue of my identity. Shall we play a game?

Even though I was recognized, I still feel proud of my integrity :)