• Poly Network was exploited by a hacker who managed to manipulate a smart contract function and issue billions of tokens for profit.
• The attack affected 57 crypto assets on 10 blockchains, with the hacker transferring out at least $5 million worth of crypto.
• A DeFi security analyst explains the exploit used a malicious parameter containing a fake validator signature and block header.
Poly Network Exploited
The Poly Network has been exploited again, this time due to compromised private keys, according to blockchain security firm Dedaub. Further details are coming to light following a July 2 attack on cross-chain bridge platform Poly Network, with a hacker being able to issue billions of tokens out of thin air for profit. In the most recent update, the team revealed that the exploit affected 57 crypto assets on 10 blockchains, including Ethereum, BNB Chain , Polygon, Avalanche, Heco, OKX and Metis. It did not specify how much was stolen in the attack, but PeckShield earlier reported that the exploiter had transferred out at least $5 million worth of crypto. A July 3 report from CertiK later estimated the attack led to around $10 million worth of crypto collected across five externally owned addresses.
DeFi security analyst Arhat said the exploit resulted from a smart contract vulnerability that allowed the hacker to “craft a malicious parameter containing a fake validator signature and block header.” This was accepted by the smart contract, enabling the hacker to bypass the verification process and allowing them to issue tokens from Poly Network’s Ethereum pool to their own address on other chains, such as Metis, BNB Chain, and Polygon. The process was repeated for other chains enabling the token stash to pile up. At one point, the hacker’s wallet held around $42 billion worth of tokens, but they were only able to convert and steal a fraction of them said the analyst: “This way,the hacker was able to mint billions of tokens on various blockchains that did not exist before and transfer them to their own wallet addresses.”
Security Firm’s Report
Blockchain security firm CertiK released its post-mortem report regarding this incident which stated that “the attacker successfully tricked an internal component (`validator`) within Poly Network into believing it communicated with another blockchain (Ethereum), while in fact it was talking directly with itself”. Accordingto this report,”the attacker then abused this communication loop in order toreceive rewards without having any real funds deposited intothe Bridge Contract.”The CertiK audit also found that there were no significant vulnerabilitiesin either PolyNetwork or its underlying protocols during its auditprocess before mainnet launch; however it identified certain areasfor improvement which could have helped in reducing potentialdamages caused by such attacks in future versions of theseprotocols/platforms.”
Poly Network Response
In response to this incidentPolyNetwork team has already initiated communication with centralized exchangesand law enforcement agencies seeking their assistance; additionallythey have requested users withdraw liquidity & unlock theirliquidity provider tokens temporarily suspending services tillfurther notice is issued .
It remains unclear how long will it take for exchanges and lawenforcement authorities help recover lost funds; however what isclear isthat we need further implementations around decentralisedfinancesecurity protocols as more projects like Uniswap & Compoundare launching every week & offering attractive incentives topotential attackers since these projects hold large amounts offunds .