In what appears to be the largest DeFi hack in history, Poly Network, a cross-chain interoperability protocol, lost over $600 million of combined amounts in $ETH (Ethereum), $BSC (Binance Smart Chain), and $MATIC (Polygon) to a still unknown threat actor.
The breach is considered to be the largest of its kind in the decentralized finance (DeFi) sector. The identified addresses contained the following amounts: $264.8 million in $ETH, $250.8 million worth of $BSC, and $85 million worth of $MATIC. Despite the complications and losses, the DeFi sector’s market remains stable a day after the exploit was identified.
The news was broken yesterday by Poly Network, which issued a notice to its users, saying:
— Poly Network (@PolyNetwork2) August 10, 2021
Dona Mara, an editor at HAPI, an on-chain cybersecurity protocol working with trustless oracles to prevent hacks as in the case of Poly Network, said that the hack was indicative of an insufficient security layer , highlighting the current state of cybersecurity in the crypto and blockchain space.
“There is a need then for a failsafe mechanism within the decentralized space that can vicariously or hand in hand execute a similar or supplementary role to the currently established centralized system of custody i.e. eliminating the need to employ tight surveillance and deanonymization.” Mara argued.
SlowMist, an information security research firm specializing on blockchain ecosystems, provided analysis of the hack, saying that the exploit was done through a modification of cross-chain contracts and verification functions that execute the data passed and submitted by a user through an execute function. Poly Network later republished this analysis in an effort to connect with the threat actor. An initial investigation by Poly Network revealed that the exploit was based on a “vulnerability between contract calls.”
Poly Network admonished the threat actor with the following warning:
“Law enforcement in any country will regard this as a major economic crime and you will be pursued. The money you stole are from tens of thousands of crypto community members, hence the people.”
Below is a copy of the letter from Poly Network addressed to the hacker:
UPDATE: Based on recent communication between Poly Network and the yet unidentified threat actor who now uses the username “PolyNetwork Exploiter” on Etherscan, a return of the missing funds is about to happen. Cross-chain developer project O3 Labs opines that it might be the case that the alleged hacker is actually a white hat hacker, i.e., the exploit was done as a test. CryptoDaily’s team will follow-up with developments on the matter.