The saga behind $610 million Poly Network cryptocurrency theft — everything we know about the mysterious hacker behind the attack and what went down over the last three days

How did the hacker steal $610 million from the Poly Network?

The hacker claims to have noticed a security hole in how Poly Network uses ‘smart contracts’ called tokens to trade cryptocurrencies, explained in a tweet thread by Kelvin Fichter, a blockchain developer.Advertisement
Poly Network is a ‘cross chain’ platform that tries to help users communicate across completely different blockchains. This means being able to make transactions across Bitcoin, Ethereum, Ontology, Binance Smart Chain, and so on.While using ‘blockchain interoperability’ to solve one problem of cryptocurrencies – siloed communication within separate blockchains – Poly was exposed as vulnerable by the hacker and jeopardised their users’ money instead.Like all software, Poly seems to have had a bug that was not identified until now, an instruction that was used only internally and should not have been possible to access by those outside the company. As posited by Fichter on Twitter and confirmed by the hacker’s comments, the hacker sent out a message through the Ontology blockchain network to use a special internal instruction called EthCrossChainManager. That resulted in transferring ownership of other smart contracts, and thus the cryptocurrency underpinning those contracts, to wallets controlled by the hacker.

The largest haul in crypto history

AdvertisementAs a result, the hacker took over ownership of $610 million worth of cryptocurrency – denominated in 12 different currencies including Ether coins, Binance Smart Chain coins and Polygon tokens.
Stolen assetAmount stolen
Ethereum$273 million
Binance Smart Chain$253 million
Polygon$85 million
Source: Poly NetworkThe quantum of loss meant that Poly wasn’t going to hush up a security breach – they tweeted an open letter that began with ‘Dear Hacker’, declared it a major economic crime, and advised that a solution be worked out to return the hacked assets. A cybersecurity firm called SlowMist helped analyse the attack, but the hacker remains unidentified so far.

He saw, he conquered - and then gave it all back?

The hacker claimed to have exchanged a portion of the currency for stablecoins — like Tether and USD Coin — to gain interest on the amount while negotiating with the company to return the money.AdvertisementAs of 12 August 2021, the company has recovered $342 million of the $610 million that was hacked, with $268 million in Ether coins still pending.

A ‘saint’ of cryptocurrency

The same day after the successful hack, the unidentified hacker conveyed messages to Poly Network through transaction comments – first saying “Ready to return the fund!” and that, “The hacker is ready to surrender.”From their stated perspective, the hacker took control of the money to keep it safe. They saw a bug that could be exploited to acquire millions, and felt nobody could be trusted with the information. In their Q&A, they claim the vulnerability had to be exposed before an insider within the company could hide or benefit from it.AdvertisementDespite having hacked the Poly Network, they still say it is ‘decent’, a ‘well designed system’, and a ‘challenge’ they enjoyed. They claim leaving lower-volume coins out of the hack, and not selling the coins they did take over, were steps they took to avoid a ‘real panic of the crypto world’.They hope the Poly team ‘learn something from those hacks’, and want to give them tips on securing their networks, so they ‘can be eligible to manage the billion project’ in the future. They claim to have ‘enough money’, want adventures, fight fate and dread death.They seem to indicate that ‘DeFi security’ is hackable, but ‘not enjoyable’ as a real hacker. They mention a selfish motive to be ‘cool’, that ‘cross chain hacking is hot’, but chose to refund the hack as they wanted to be ‘the moral leader’.In continued exchanges through transaction comments, Poly Network appreciated the 'white hat behavior' and offered a bounty of $500,000 in return. The hacker did not accept the bounty offer, responding with "I will send all of their money back."Advertisement

The Poly Network hacker is now saying that they were offered a $500k bounty to return the stolen assets - but that…

— Tom Robinson (@tomrobin) 1628784566000

What happens next?

Poly Network’s bridge, which acts as an intermediary for multiple chains and is a major part of a cross-chain platform, was temporarily closed as of 13 August 2021. It is expected to open when the hack is resolved and the site regains full functionality.If Poly Network presses charges, a legal case might exist to proceed against the hacker. However, the hacker dubbed ‘Mr White Hat’ is co-operating with the company and seems to want their vulnerabilities fixed. No legal charges have been opened so far.As seen from earlier attacks on DeFi systems, and the hacker’s comments, it would seem that security of DeFi systems is still evolving. So the question of whether to expect more hacks on other such centralised systems that use cryptocurrencies, is an open one.Major cryptocurrencies themselves are relatively safer, because of the built-in security, architecture that doesn’t expect trusted insiders, their decentralised nature and continuous bug fixes by the community.Advertisement

Large DeFi attacks this year

According to an August 2021 report by crypto intelligence firm CipherTrace, DeFi-related hacks are trending upward in 2021. DeFi-related hacks at $361 million accounts for 76% of crypto-hacks so far this year, compared to $129 million or 25% of the total crypto hacks for all of the year 2020. Cross-chain DeFi exchanges suffered a lot, as shown in the three examples below.
MonthDeFi entityLossDescription
July 2021THORChain$13 millionWas attacked twice, lost various currencies. They recovered $8 million the second time, after paying the hacker a bug bounty.
July 2021ChainSwap$8.8 millionWas attacked twice, lost smart contract assets. The hackers remain at large.
May 2021Rari Capital$10 millionLost crypto assets due to an ‘evil contract’ exploit. The hackers weren’t found, Rari’s developers (which they called contributors) paid a portion of their incentives to reimburse affected users.
May 2021PancakeBunny$45 millionLost value of their BUNNY token due to a ‘flash loan’ exploit. Its value dropped by 96%, from $146 to $6. The attackers weren’t caught, and the token’s value is still down by 90% even three months later.
Inferring from the events of these three days, the Poly Network exploit could serve as a warning for future developers in the crypto and blockchain space. The probable direct impact of this hack went from an earthquake that could ruin investors, to a remarkably tame ending where all parties involved may come out unscathed. However, the indirect impact may be upon the funding of crypto exchanges, coin offerings, and DeFi platforms – all of which have been raising capital at a frenetic pace. Where the money until now favoured innovations and first movers, this incident would shine a brighter light on the internal security of ventures.AdvertisementSEE ALSO:CoinDCX becomes India’s first crypto unicorn as it joins the leagues of Binance, Robinhood, Ripple, and othersHacker behind $610 million crypto hack conducts AMA — claims returning the money was always ‘a part of the plan’Crypto markets are recovering, and mining companies in North America are raking in the gains{{}} NewsletterSIMPLY PUT - where we join the dots to inform and inspire you. Sign up for a weekly brief collating many news items into one untangled thought delivered straight to your mailbox.CAPTCHA:Enter captchaBy clicking ‘Sign up’, you agree to receive marketing emails from Insider as well as other partner offers and accept our Terms of Service and Privacy Policy
Next StoryWhat are stock warrants and why do companies offer them?

The saga behind 0 million Poly Network cryptocurrency theft — everything we know about the mysterious hacker behind the attack and what went down over the last three days