<img src="https://secure.glue1lazy.com/215876.png" style="display:none;">

Hack Track: An Analysis of Poly Network Hack and Latest Related Events

[UPDATE 2021.08.23]

As per the update provided by the Poly Network on 19 August 2021, assets worth approximately $427 million were returned by the hacker. The update further stated that 28,953 ETH and 1,032 WBTC (about $141 million) were still left in the ¾ multi signature wallet and that Poly Network is waiting for the hacker to provide his private key authorization.

On 23 August 2021, Poly Network  released another update announcing that the hacker has publicly shared the private key needed to regain control of the remaining assets through an on-chain message. The announcement stated that Poly Network has successfully retrieved the remaining $141 million and has fully recovered all the user assets that were transferred out during the attack.

This comes after Poly Network promised the hacker a $500,000 bounty for the restoration of user funds, inviting him to become its “chief security advisor.”

Poly Network after verifying the private key provided by the hacker regained control of the $610 million (not including the frozen $33 million USDT) in assets that were affected in this attack. With respect to the recovery of $33 million USDT, Poly Network stated that they have been in close communication with Tether and that “Tether is in the process of confirming the final unfreezing process” with them. Additionally, Poly Network thanked the hacker for his cooperation and stated that they had officially entered the fourth phase of their roadmap “Asset Recovery.” The Poly Network team is in the process of returning full asset control to their users as swiftly as possible.

As per the panelists of Merkle Science’s “Regulating the DeFi Frontier: Where Consumer Protection & Financial Innovation Collide” webinar, the Poly Network hack is a classic example of the situation where enforcement may arrive before regulation. The panelists noted that the collective action of the crypto industry such as blockchain analytics, blocking certain transactions, and adding the individual tokens to the black lists may have pushed the hackers to return the stolen amount

On 10 August 2021, the Poly Network was attacked by a hacker, losing over $600 million — the largest crypto hack since the Coincheck hack in 2018 — across the Ethereum, Binance Smart Chain, and Polygon blockchains. (The previous record  The hack was initially rumored as a leak of the private key of a single keeper in the network but the Poly Network and others in the blockchain community have confirmed that the hacker exploited a smart contract vulnerability between contract calls. 

Smart contract risks are one of the five most common types of DeFi risks Merkle Science identified in its report, “Diving into DeFi: Fundamentals from the Financial Frontier”. As more and more users are exploring decentralized finance, it is important for individuals to understand how DeFi is being used as well as the risks they may be exposed to when it comes to engaging with the ecosystem.

What happened?

Poly Network is a DeFi platform that facilitates peer-to-peer transactions across different blockchains. A vulnerability in Poly Network’s smart contract code allowed the hacker to commit the crime.

Twitter user @kelvinfitcher did an analysis of what happened at the code level. They began by saying “Poly is a cross-chain transaction project. Basically, they allow you to move assets between different blockchains.” They explain on their Twitter in plain English **edits made below for clarification**

  1. A user deposits their assets into a “lock box” on Blockchain A
  2. A resulting representation of those assets appear on another blockchain (Blockchain B)
  3. The “lock box” on Blockchain A will only ever release assets if it receives a message from the corresponding “lock box” on Blockchain B asking it to do so.
  4. “Lock box A” will authenticate the message from “Lock box B” by checking that it’s been verified by a group of individuals that the Poly Network calls “bookkeepers.”
  5. The hacker was able to override the list of bookkeepers so that the hacker was the only bookkeeper needed for verification.
  6. This allowed it to be possible for the hacker to create fake messages from “Lock box B” to “Lock box A”.
  7. “Lock box A” authenticated the fake message from “Lock box B” by checking the hacker’s bookkeeper-status verification, thereby releasing the funds in “Lock box A” to the hacker.

 

Recovering assets

The Poly Network issued a formal letter to the hacker asking them for communication and to return the hacked assets. The network has also asked crypto exchanges like Binance, Huobi, OKEx, and Coinbase to blacklist tokens coming from all of the hacker’s addresses. 

Tether also blacklisted $33,431,197 worth of tokens that were associated with the hacker’s wallet.

In a unique turn of events, the hacker returned more than one-third of the stolen funds on 11 August. Poly Network announced on Twitter that $260 million has been returned, with $353 million left outstanding. In messages encoded in the transactions, the hacker said they did it “for fun” and they “take the responsibility to expose the vulnerability before any insiders [are] hiding and exploiting it!”

What does this mean for DeFi regulations?

Merkle Science’s EVP Americas and Global Chief Legal Officer, Mary Beth Buchanan, commented in the immediate aftermath of the hack, saying: “The FATF — the inter-governmental organization that provides global guidance on preventing money laundering and terrorist finance — has already highlighted DeFi as an area where further guidance is needed,, and incidents such as this hack will certainly place DeFi front and center for regulators around the globe. There is certainly a need for greater regulation and guidance around DeFi. But while regulators may be eager to put rules and regulations in place, hastily-created regulations may not be effective in protecting users from hacks and scams.

“There are a few challenges that regulators have to overcome with regard to regulating the DeFi ecosystem. The first is in understanding DeFi’s infrastructure and the new ways in which value is being created and transferred. There are products being created and used in DeFi that do not have equivalents in traditional finance. A second challenge is a speed at which DeFi hacks and illicit activity happens. As transfers are made through code embedded in the smart contracts, hacks happen within seconds, making the use of technology critical to detect crimes so that proper action may be taken to stop criminals in their tracks. Finally, even with the regulation in place, enforcement will pose a significant challenge.”

Merkle Science’s On-Chain Analysis

The hacker has used three chains to exploit and move funds — Ethereum, BSC, and Polygon. Below is an investigation into the tokens hacked and tracking the movement of funds. All dollar values are in USD, unless stated otherwise. 

ETHEREUM 

Ten types of tokens — worth nearly $272 million — on the Ethereum blockchain have been stolen and the details of tokens stolen are mentioned below. 

Txn No.

Transaction Hash 

Interacted With  

From

To 

Token Amount 

USD Value 

1

0xad7a2c70c958fcd3effbf374d0acf3774a9257577625ae4c838e24b0de17602a

0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270(contract)

0x250e76987d838a75310c34bf422ea9f1AC4Cc906

0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963 (Hacker)

2,857.48 ETH

$8,857,138

2

0x5a8b2152ec7d5538030b53347ac82e263c58fe7455695543055a2356f3ad4998

0x838bf9E95CB12Dd76a54C9f9D2E3082EAF928270 (USDC Contract)

0x250e76987d838a75310c34bf422ea9f1AC4Cc906

0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963 (Hacker)

96,389,444.229984  USDC

$96,389,444.23

3

0x3f55ff1fa4eb3437afe42f4fea57903e8e663bc3b17cb982f1c8d4c8f03a2083

0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270 (  Contract)

0x250e76987d838a75310c34bf422ea9f1AC4Cc906

0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963(Hacker)

1,032.12483694 WBTC

$46,666,492.38

4

0xa7c56561bbe9fbd48e2e26306e5bb10d24786504833103d3f023751bbcc8a3d9

0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270 (  Contract)

0x250e76987d838a75310c34bf422ea9f1AC4Cc906

0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963(Hacker)

673,227.94153 Dai

$673,227.94

5

0xc917838cc3d1edd871c1800363b4e4a8eaf8da2018e417210407cc53f94cd44e

0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270(  contract)

0x250e76987d838a75310c34bf422ea9f1AC4Cc906

0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963(Hacker)

43,023.75 UNI

$1,236,932.85

6

0xe05dcda4f1b779989b0aa2bd3fa262d4e6e13343831cb337c2c5beb2266138f5

0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270 (  Contract)

0x250e76987d838a75310c34bf422ea9f1AC4Cc906

0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963(Hacker)

259,737,345,149.519 SHIB

$1,940,237.97

7

0xb12681d9e91e69b94960611b227c90af25e5352881907f1deee609b8d5e94d7d

0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270 (  Contract)

0x250e76987d838a75310c34bf422ea9f1AC4Cc906

0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963(Hacker)

14.47 renBTC

$653,628.31

8

0x06aca16c483c3e61d5cdf39dc34815c29d6672a77313ec36bf66040c256a7db3

0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270 (  Contract)

0x250e76987d838a75310c34bf422ea9f1AC4Cc906

0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963(Hacker)

33,431,197.73 USDT

$33,431,197.73

9

0xc797aa9d4714e00164fcac4975d8f0a231dae6280458d78382bd2ec46ece08e7



0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270 (  Contract)

0x250e76987d838a75310c34bf422ea9f1AC4Cc906

0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963(Hacker)

26,109.06 WETH

$81,163,409.28

10

0xd8c1f7424593ddba11a0e072b61082bf3d931583cb75f7843fc2a8685d20033a

0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270 (  Contract)

0x250e76987d838a75310c34bf422ea9f1AC4Cc906

0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963(Hacker)

616,082.58 FEI

$616,082.59

 

TOTAL

       

$271,621,791

The hacker made three unsuccessful transactions to provide liquidity to the curve.fi DAI/USDC/USDT pool. On the fourth try, they were successful in adding liquidity to the pool, depositing DAI and USDC stolen in the second and fourth transactions in the table above. 

0xbc54deb446c8daa623611c062e2e49f374ef3a04ddb2a8f4b788c9e54eb14485

673,227.94 DAI

$673,227.94

0xbc54deb446c8daa623611c062e2e49f374ef3a04ddb2a8f4b788c9e54eb14485

96,389,444.22 USDC

$96,389,444.23

At the time of analysis, the hacker address had a balance of  $181,983,531.81 in ERC-20 and ERC-721 tokens and $91,754,287.01 in ETH. 

BINANCE SMART CHAIN

The attacker exploited the BSC blockchain in a similar way to the Ethereum blockchain. They transferred funds worth $250 million USD to BSC.

Txn No.

Transaction Hash 

From 

To 

Token Amount 

USD Value 

1

0xd59223a8cd2406cfd0563b16e06482b9a3efecfd896d590a3dba1042697de11a

0x8ac76a51cc950d9822d68b83fe1ad97b32cd580d (Binance-Peg USD Coin contract)

0x0d6e286a7cfd25e0c01fee9756765d8033b32c71(Hacker)

87,603,373.77 Binance Peg USDC coin

$87,611,716.91

2

0x4e57f59395aca4847c4d001db4a980b92aab7676bc0e2d57ee39e83502527d6c

0x2170ed0880ac9a755fd29b2688956bd959f933f8 (Binance-Peg Ethereum contract)

0x0d6e286a7cfd25e0c01fee9756765d8033b32c71(Hacker)

26,629.15 Binance Peg ETH  coin

$83,419,039.20

3

0x50105b6d07b4d738cd11b4b8ae16943bed09c7ce724dc8b171c74155dd496c25

0x7130d2a12b9bcbfae4f2634d864a1ee1ce3ead9c(Binance-Peg BTCB Token)

0x0d6e286a7cfd25e0c01fee9756765d8033b32c71(Hacker)

1,023.88 (Binance-Peg BTCB Token)

$46,216,838.37 

4

0xd65025a2dd953f529815bd3c669ada635c6001b3cc50e042f9477c7db077b4c9

0xe9e7cea3dedca5984780bafc599bd69add087d56(Binance-Peg BUSD Token)

0x0d6e286a7cfd25e0c01fee9756765d8033b32c71(Hacker)

32,107,854.11(Binance-Peg BUSD Token)

$32,112,866.99

5

0xea37b320843f75a8a849fdf13cd357cb64761a848d48a516c3cac5bbd6caaad5

0x8ac76a51cc950d9822d68b83fe1ad97b32cd580d(Binance-Peg USD Coin)

0x0d6e286a7cfd25e0c01fee9756765d8033b32c71(Hacker)

298.940(Binance-Peg USD Coin)

$299.01

 

Total

     

$249,360,760

$119 million has been moved from the BSC address to provide liquidity to the Ellipsis Finance BUSD/USDC/USDT 3EPS pool through the following transactions:

0x6768b4848b6713347195330a1a31326d3c060a9a828d5b5ec51bc6653bcc9b4e

87,603,672.715 (BUSD)

$32,107,721.65

0x6768b4848b6713347195330a1a31326d3c060a9a828d5b5ec51bc6653bcc9b4e

87,603,672.71 (Binance peg USDC)

$87,603,676.04

At the time of analysis, the hacker address had a balance of $131,086,534.15 in BEP-20 and ERC-721 tokens and $2,526,478.25 worth of BNB . 

POLYGON 

The hacker 0x5dc3603C9D42Ff184153a8a9094a73d461663214 successfully transferred 85,089,719 USDC from the Polygon blockchain. 

Txn No.

Transaction Hash 

From 

To 

Token Amount 

USD Value 

1

0x1d260d040f67eb2f3e474418bf85cc50b70101ca2473109fa1bf1e54525a3e01

0x2791bca1f2de4661ed88a30c99a7a9449aa84174(USD Coin (PoS) contract)



0x5dc3603c9d42ff184153a8a9094a73d461663214(Hacker)

85,089,610.911661 (USDC Coin POS)

$85,089,610.91

2

0xfbe66beaadf82cc51a8739f387415da1f638d0654a28a1532c6333feb2857790

0x2791bca1f2de4661ed88a30c99a7a9449aa84174(USD Coin (PoS) contract)



0x5dc3603c9d42ff184153a8a9094a73d461663214(Hacker )

108.694578 (USDC Coin POS)

$108.69

At the time of analysis, the hacker address had a balance of $85,032,072 in ERC-20 and ERC-721 tokens on the address and $64.01 worth of MATIC tokens.