Understand the PolyNetwork 600 million coin theft case in one article. The largest amount in DeFi history. The full review of the whole process had early signs.

Wu said the author | Colin Wu, Ping Xiong

Editor of this issue | Colin Wu

1. Start

Poly Network claims to be the world's leading "lightweight" heterogeneous chain cross-chain interoperability protocol. Its uniquely designed heterogeneous chain and cross-chain bridge technology will control the cross-chain by deploying smart contracts on the source chain, and open up the communication and transactions between various heterogeneous chains and even between various mainstream public chains at the protocol layer. The mainnet was launched in August 2020. Poly Network is a cross-chain organization jointly initiated by Neo, Ontology, and Switcheo Foundation as founding members, and Distributed Technology as a technology provider.

The SlowMist security team found that the hacker's initial source of funds was Monero (XMR), which was then exchanged for BNB/ETH/MATIC and other currencies in the exchange and withdrawn to three addresses respectively, and soon after launched attacks on three chains. Combining the flow of funds and multiple fingerprint information, it can be found that this is likely a premeditated, organized and prepared attack.

2 Attack Started

1. At 8:38 pm on August 10, the cross-chain interoperability protocol Poly Network claimed to have been attacked (the cross-chain aggregation protocol O3 is built on Poly Network and is also implicated), with a total of more than $610 million transferred to three addresses. Among them, more than $250 million was transferred to the Binance Smart Chain address starting with 0x0D6e2, more than $270 million was transferred to the Ethereum address starting with 0xC8a65, and more than $85 million was transferred to the Polygon address.

Among them: BSC assets: 6613 BNB, 87,603,671 USDC, 26,629 ETH, 1,023 BTCB, 32,107,854 BUSD

Polygon assets: 85,089,719 USDC

Ethereum assets: 96,389,444 USDC, 1,032 WBTC, 673,227 DAI, 43,023 UNI, 14 renBTC, 33,431,197 USDT, 26,109 WETH, 616,082 FEI

2. At 9:44, Tether Chief Technology Officer Paolo Ardoino tweeted that Tether has frozen 33 million USDT from the hacker address that attacked Poly Network.

What puzzles the outside world is that Binance and Circle did not freeze BUSD and USDC, which directly led to the subsequent transfer of 120 million US dollars of stablecoins. CZ responded that no one can control BSC, and Circle did not respond to this.

Binance CEO Changpeng Zhao said that the PolyNetwork theft case we all know about happened today. Although no one controls BSC (or ETH), we are coordinating with all security partners to proactively provide assistance. Can't give any, but we will do our best.

3. At 9:56, the Ethereum address starting with 0xC8a65 began to try to deposit funds into Curve.fi for money laundering. The first few transaction attempts failed due to the freezing of USDT, and then only DAI and USDC were deposited, with a total of nearly 100 million stablecoins (including 673,227 DAI and 96,389,444 USDC).

4. At 10:03, the Binance Smart Chain address starting with 0x0d6e2 transferred nearly 120 million US dollars of stablecoins (including 32,107,854 BUSD and 87,603,672 USDC) to the Curve fork project Ellipsis Finance.

5. At 10:27, the Ethereum address involved, starting with 0xC8a65, redeemed the 3Crv LP shares previously deposited in stablecoins for approximately 96,942,061 DAI.

3. Communication between the two parties

In the early morning of the 11th, PolyNetwork sent a letter to the hacker, saying that we hope to establish contact with you and hope that you will return the stolen assets. The amount you stole is the largest in the history of DeFi. The laws of any country will regard it as a major economic crime and you will be hunted down. It is unwise for you to conduct any further transactions (transfers). The funds you stole are the property of thousands of community members. You should talk to us to seek a solution.

The hacker then responded: If I transfer the remaining coins, it will be at the billion dollar level. Wouldn’t I have saved the project? I am not very interested in money. Now I am considering returning some tokens, or leaving them here; what if I make a new token and let the DAO decide where the tokens go.

As of 9:40 am on August 11, there has been no new progress.

4 Reasons

Security company BlockSec has released its latest analysis report. Regarding the Poly Network attack, the BlockSec security team initially analyzed that the cause of the attack may be the leakage of the private key used for cross-chain signatures or a logical vulnerability in the signature program that led to the signing of attack transactions. BlockSec believes that the attacker may have a legitimate key to sign the message, which indicates that the signature key may have been leaked, or there is a bug in the PolyNetwork signature process that was abused to sign carefully crafted messages. The SlowMist security team analyzed that it was because the cross-chain contract keeper was modified to the hacker's designated address, allowing hackers to arbitrarily construct transactions to withdraw any amount of funds from the contract.

5 Others

As one of the cross-chain protocols with the largest locked-up amount, O3 has experienced many organized attacks earlier, but it seems that PolyNetwork and O3 did not alert them. O3 and PolyNetwork both belong to the NEO ecosystem and are also one of the largest public encrypted chains in the Chinese region. In recent years, they have been working hard in the DeFi field.

Babbitt’s article on July 14 pointed out that before this, there were very few cross-chain attacks. But in just half a month, there have been 5 security incidents, with losses exceeding $17 million. The obvious increase in cross-chain attacks, does this mean that hackers are targeting the cross-chain protocol ecosystem?

Igor Igamberdiev, a research analyst at The Block, once said that the interoperability between DeFi protocols is becoming more and more complex, thus opening up new attack vectors, which will become more frequent in the future. "In addition, after the attacker succeeds, he will quickly transfer the assets through the cross-chain bridge, and then use the mixing service to launder the assets.

The rumor that the government retained super-control and thus embezzled funds was widely spread on the evening of the 10th is unlikely. NEO Group is extremely strong and does not need to carry out such an operation; and if it was an insider or a partner, it would be too easy to be exposed.

Public information shows that the audit of PolyNetwork was completed by NCC Group, and the audit of Ethereum smart contracts was completed by Certik.

Industry insiders pointed out that the US financial regulators are currently paying close attention to DeFi, and relevant Chinese departments have also begun to pay attention. The US SEC recently charged the first DeFi case. If this largest DeFi theft case in history does not end well, it may affect the industry's confidence in DeFi on the one hand, and may also induce global regulators to suppress DeFi on the other hand. (Image cryptochronicle)