Poly Network hacker 12 questions and answers to answer everything: I want to provide network security tips for projects for fun

In the early morning of August 12, the hacker who attacked Poly Network posted a self-question and answer, answering a series of questions such as why he launched the attack, why he chose to attack Poly Network, and why he repaid the loan.

Q: Why attack?

A: For fun :)

Q: Why did you choose PolyNetwork?

Answer: Cross-chain attacks are very popular

Q: Why do you want to transfer the tokens?

A: To ensure safety.

When the bug was discovered, I had mixed feelings. Ask yourself, what would you do if you were faced with such a fortune. Ask the project team politely so they can fix the problem? Anyone can be a traitor! I can't trust anyone! The only solution I could come up with was to save it in a trusted account while keeping myself anonymous and safe.

Now everyone smells a conspiracy. Insider? Not me, but who knows? It's my duty to expose the vulnerability before any insider can hide and exploit it!

Q: Why is it so complicated?

A: Poly Network is a nice system. It is one of the most challenging attacks a hacker can enjoy. I have to defeat any insiders or hackers quickly, I treat it as a bonus challenge :)

Q: Were you exposed?

A: No. Never. I understand that even if I don't do evil, there is a risk of exposing myself. So I use temporary emails, IPs, or so-called fingerprints, which are untraceable. I would rather stay in the dark and save the world.

Q: What exactly happened 30 hours ago?

Answer: It’s a long story.

Believe it or not, I was forced to play this game.

Poly Network is a complex system and I didn't manage to set up a local test environment. I failed to make a POC at first. However, just before I gave up, the AHA moment came. After debugging all night, I made a SINGLE message for the ontology network.

I planned to launch a cool blitz to take over four networks: ETH, BSC, POLYGON, and HECO. However, something went wrong with the HECO network! The relayer behaved differently from the other relayers, the admin just directly relayed my exploit, and the key was updated to some wrong parameters. It ruined my plan.

I should have stopped at that moment, but I decided to let the show go on! What if they secretly patched the vulnerability without any notice?

However, I didn't want to cause a real panic in the crypto world. So I chose to ignore the shitcoins, so people don't have to worry about them going to zero. I took the important tokens (except SHIB) and didn't sell any tokens.

Q: Then why sell/convert those tokens?

A: I was really angry at the initial response from the POLY team.

Before I had a chance to respond, they urged others to blame and hate me! I certainly knew there were fake DeFi tokens, but I didn't take it seriously because I had no plans to launder money.

In the meantime, depositing my money in Curve would earn me some interest to cover potential costs, giving me more time to negotiate with the Poly team.

Q: Why do I have to tip 13.37 ETH?

A: I feel the warmth of the Ethereum community.

I was busy investigating the problem with HECO and debugging my script. I thought it was the network problem, why I couldn't deposit (I'm behind a complicated proxy). So I shared my goodwill with the guy.

Q: Why are you asking about TORNADO and DAO?

A: Having witnessed so many hacks, I knew that investing my money in TORNADO was a wise but desperate decision. It went against my original intention. After meeting so many beggars, becoming a crowd-sourced hacker was just a joke to me :)

Q: Why the refund?

A: That was always the plan! I'm not really interested in money! I know people are miserable when they get hacked, but shouldn't they learn something from these hacks? I announced the refund decision before midnight, so those who believed in me should rest easy ;)

Q: Why is the refund so slow?

A: I do need time to talk to the POLY team. Sorry, this is the only way I know of to prove my dignity while hiding my identity. I need a break.

Q: Poly Network team?

A: I have started a brief conversation with them, the logs are on Ethereum. I may or may not publish them. The pain they suffered was temporary, but memorable.

I want to give them tips on how to secure their network so that they can be qualified to manage billion dollar projects in the future. Poly Network is a well designed system that will handle more assets. They have a lot of new followers on Twitter, right?