On 10th August 2021, Poly Network announced in a tweet that it had been attacked. Not only had their network been breached, but the hacker had transferred enormous sums to their addresses right under Poly Network’s nose.
Initial investigations into the attack show that it was, in fact, the biggest theft in decentralised finance (DeFi) crypto attack history! In total, the hacker managed to steal $611m taking $273m in Ethereum, $253m in Binance Smart Chain and $85m in Polygon.
At the point of writing, the attacker (or attackers) remains unknown, although, they have started to return some of the stolen assets leading to the belief that the final damage of the attack will only be to Poly Network’s integrity and reputation. However, this theory is derived from early analysis only, and it’s not yet confirmed, meaning there remains a possibility that the attack could occur again.
So, how did they do it?
Currently, there are two publicly documented theories on how the cybercriminal(s) may have managed to pull off the attack. The first believes that the hacker exploited a vulnerability that allows threat actors to sign messages occurring during the exchange of cryptocurrencies. The second theory is that they identified a bug in the signing process of the Poly Network and abused it to sign a crafted message.
Poly Network reacted quickly by sharing news of the attack on Twitter and an open letter to the hacker to “urge the hackers to return the assets.” They followed up with a request to miners of the affected blockchains to blacklist tokens coming from the Ethereum, Binance Smart Chain and PolyGon addresses.
The motivations of the attack, and one of this scale, remain unclear. However, at the time of writing, the hacker has returned $260m of the stolen funds, of which Poly Network continues to update the cryptocurrency community over on its Twitter page.
What does FluidOne think?
As an end-user or a cryptocurrency trader, we recommend conducting thorough research into the organisations that you have your currency. It’s important to understand their stance on cyber security, as ultimately, protecting yourself from this type of attack is out of your control as an end-user. The issue exploited was a flaw in the trading platform system and not within your means to monitor.
If you hold an administrative position within a crypto trading platform, FluidOne advises that you ensure frequent penetration testing exercises are performed on the platform. This will identify any vulnerabilities before cybercriminals spot an opportunity to exploit them.
It goes without saying, attacks on a grand scale such as the Poly Network hack generate a high amount of publicity. Doing so highlights weaknesses within the cryptocurrency community and a lack of focus on security when it comes to the platforms used to trade on. In this instance, Poly Network was lucky that the hacker showed some remorse or has a different motive other than pure greed by returning some of the funds.
The attacker’s identity remains a mystery, though we would be surprised if Poly Network has not already started to investigate people within its inner circle who may have the skills or knowledge to pull off this kind of attack. It would be wise for Poly Network to alleviate any possibilities that this could have been an insider threat, not only to protect themselves and their users from a future attack but to ensure the integrity of their team.
It is yet to be seen if the attacker has another trick up their sleeve or if this does mark the end of the biggest crypto heist we’ve seen to date. Regardless of how the events are perceived or will be in the future, it should be a given that this is a learning experience for everyone involved with cryptocurrency security and welfare.
This attack could have occurred with a hacker that may not have been willing to return any stolen assets at all causing a lot more damage to the cryptocurrency community than just bruising Poly Network’s ego and reputation.
A full technical report on how the threat actor was believed to conduct these actions can be found here.
Concerned about your own security? Get in touch with our expert cyber team at CSA to see how we can find the right solution for you.
(Note: FluidOne does not condone or encourage theft of any kind and uses the above explanation as a learning experience regarding security).
About the author
Dave Woodfine, Co-founder and Managing Director, Cybersecurity Associates
Dave is an ex Cyber Commander working for the Royal Air Force and GCHQ. Now with years of commercial experience, Dave is an expert in cyber risk management and shaping cyber security strategies.