Hack Track: An Analysis of Poly Network Hack and Latest Related Events

[UPDATE 2021.08.23]

As per the update provided by the Poly Network on 19 August 2021, assets worth approximately $427 million were returned by the hacker. The update further stated that 28,953 ETH and 1,032 WBTC (about $141 million) were still left in the ¾ multi-signature wallet and that Poly Network is waiting for the hacker to provide his private key authorization.

On 23 August 2021, Poly Network released another update announcing that the hacker has publicly shared the private key needed to regain control of the remaining assets through an on-chain message. The announcement stated that Poly Network has successfully retrieved the remaining $141 million and has fully recovered all the user assets that were transferred out during the attack.

This comes after Poly Network promised the hacker a $500,000 bounty for the restoration of user funds, inviting him to become its “chief security advisor.”

Poly Network after verifying the private key provided by the hacker regained control of the $610 million (not including the frozen $33 million USDT) in assets that were affected in this attack. With respect to the recovery of $33 million USDT, Poly Network stated that they have been in close communication with Tether and that “Tether is in the process of confirming the final unfreezing process” with them. Additionally, Poly Network thanked the hacker for his cooperation and stated that they had officially entered the fourth phase of their roadmap “Asset Recovery.” The Poly Network team is in the process of returning full asset control to their users as swiftly as possible.

As per the panelists of Merkle Science’s “Regulating the DeFi Frontier: Where Consumer Protection & Financial Innovation Collide” webinar, the Poly Network hack is a classic example of the situation where enforcement may arrive before regulation. The panelists noted that the collective action of the crypto industry such as blockchain analytics, blocking certain transactions, and adding the individual tokens to the black lists may have pushed the hackers to return the stolen amount

On 10 August 2021, the Poly Network was attacked by a hacker, losing over $600 million — the largest crypto hack since the Coincheck hack in 2018 — across the Ethereum, Binance Smart Chain, and Polygon blockchains. (The previous record  The hack was initially rumored as a leak of the private key of a single keeper in the network but the Poly Network and others in the blockchain community have confirmed that the hacker exploited a smart contract vulnerability between contract calls. 

Smart contract risks are one of the five most common types of DeFi risks Merkle Science identified in its report, “Diving into DeFi: Fundamentals from the Financial Frontier”. As more and more users are exploring decentralized finance, it is important for individuals to understand how DeFi is being used as well as the risks they may be exposed to when it comes to engaging with the ecosystem.

What happened?

Poly Network is a DeFi platform that facilitates peer-to-peer transactions across different blockchains. A vulnerability in Poly Network’s smart contract code allowed the hacker to commit the crime.

Twitter user @kelvinfitcher did an analysis of what happened at the code level. They began by saying “Poly is a cross-chain transaction project. Basically, they allow you to move assets between different blockchains.” They explain on their Twitter in plain English **edits are made below for clarification**

1. A user deposits their assets into a “lock box” on Blockchain A
2. A resulting representation of those assets appears on another blockchain (Blockchain B)
3. The “lock box” on Blockchain A will only ever release assets if it receives a message from the corresponding “lock box” on Blockchain B asking it to do so.
4. “Lock box A” will authenticate the message from “Lock box B” by checking that it’s been verified by a group of individuals that the Poly Network calls “bookkeepers.”
5. The hacker was able to override the list of bookkeepers so that the hacker was the only bookkeeper needed for verification.
6. This allowed it to be possible for the hacker to create fake messages from “Lock box B” to “Lock box A”.
7. “Lock box A” authenticated the fake message from “Lock box B” by checking the hacker’s bookkeeper-status verification, thereby releasing the funds in “Lock box A” to the hacker.

Recovering assets

The Poly Network issued a formal letter to the hacker asking them to communicate and return the hacked assets. The network has also asked crypto exchanges like Binance, Huobi, OKEx, and Coinbase to blacklist tokens coming from all of the hacker’s addresses. 

Tether also blacklisted $33,431,197 worth of tokens that were associated with the hacker’s wallet.

In a unique turn of events, the hacker returned more than one-third of the stolen funds on 11 August. Poly Network announced on Twitter that $260 million has been returned, with $353 million left outstanding. In messages encoded in the transactions, the hacker said they did it “for fun” and they “take the responsibility to expose the vulnerability before any insiders [are] hiding and exploiting it!”

What does this mean for DeFi regulations?

Merkle Science’s EVP Americas and Global Chief Legal Officer, Mary Beth Buchanan, commented in the immediate aftermath of the hack, saying: “The FATF — the inter-governmental organization that provides global guidance on preventing money laundering and terrorist finance — has already highlighted DeFi as an area where further guidance is needed,, and incidents such as this hack will certainly place DeFi front and center for regulators around the globe. There is certainly a need for greater regulation and guidance around DeFi. But while regulators may be eager to put rules and regulations in place, hastily-created regulations may not be effective in protecting users from hacks and scams.

“There are a few challenges that regulators have to overcome with regard to regulating the DeFi ecosystem. The first is in understanding DeFi’s infrastructure and the new ways in which value is being created and transferred. There are products being created and used in DeFi that do not have equivalents in traditional finance. A second challenge is a speed at which DeFi hacks and illicit activity happens. As transfers are made through code embedded in the smart contracts, hacks happen within seconds, making the use of technology critical to detect crimes so that proper action may be taken to stop criminals in their tracks. Finally, even with the regulation in place, enforcement will pose a significant challenge.”

Merkle Science’s On-Chain Analysis

The hacker has used three chains to exploit and move funds — Ethereum, BSC, and Polygon. Below is an investigation into the tokens hacked and tracking the movement of funds. All dollar values are in USD, unless stated otherwise. 

ETHEREUM 

Ten types of tokens — worth nearly $272 million — on the Ethereum blockchain have been stolen and the details of the tokens stolen are mentioned below. 

The hacker made three unsuccessful transactions to provide liquidity to the curve.fi DAI/USDC/USDT pool. On the fourth try, they were successful in adding liquidity to the pool, depositing DAI and USDC stolen in the second and fourth transactions in the table above. 

At the time of analysis, the hacker address had a balance of  $181,983,531.81 in ERC-20 and ERC-721 tokens and $91,754,287.01 in ETH. 

BINANCE SMART CHAIN

The attacker exploited the BSC blockchain in a similar way to the Ethereum blockchain. They transferred funds worth $250 million USD to BSC.

$119 million has been moved from the BSC address to provide liquidity to the Ellipsis Finance BUSD/USDC/USDT 3EPS pool through the following transactions:

At the time of analysis, the hacker address had a balance of $131,086,534.15 in BEP-20 and ERC-721 tokens and $2,526,478.25 worth of BNB . 

POLYGON 

The hacker 0x5dc3603C9D42Ff184153a8a9094a73d461663214 successfully transferred 85,089,719 USDC from the Polygon blockchain. 

At the time of analysis, the hacker address had a balance of $85,032,072 in ERC-20 and ERC-721 tokens on the address and $64.01 worth of MATIC tokens.