Poly Network is a decentralised finance (DeFi) platform that facilitates peer-to-peer transactions.
On Tuesday, hackers stole $613 million (approximately Rs. 4,550 crores) worth of digital coins from token-swapping platform Poly Network, only to restore $342 million (about Rs. 2,540 crores) worth of tokens less than 24 hours later, according to the business. Here’s everything we know about the heist so far.
What exactly is a Poly Network?
Poly Network is a decentralised finance (DeFi) network that supports peer-to-peer transactions with a focus on allowing users to move or trade tokens across different blockchains. It is a lesser-known name in the world of cryptocurrencies. Poly Network’s website did not make it obvious where the platform is based or who runs it. Poly Network was founded by the founders of Chinese blockchain project Neo, according to specialised crypto website Coindesk.
How did the tokens get into the hands of hackers?
The Binance Smart Chain, Ethereum, and Polygon blockchains are used by Poly Network. Tokens are traded between blockchains using a smart contract that specifies when the assets should be released to the counterparties. As of 6 p.m. IST on August 12, the price of Ethereum in India was Rs. 2.4 lakhs.
According to crypto intelligence firm CipherTrace, one of the smart contracts Poly Network employs to transfer tokens across blockchains maintains high quantities of liquidity to allow users to efficiently trade tokens.
According to a preliminary assessment, the hackers exploited a weakness in this smart contract, Poly Network tweeted on Tuesday. The hackers seemed to override the contract rules for each of the three blockchains and divert the funds to three wallet addresses, digital places for keeping tokens, according to an analysis of the transactions tweeted by Kelvin Fichter, an Ethereum programmer. Poly Network was later able to track them down and publish them.
The attackers stole funds in more than 12 different cryptocurrencies, including ether and a type of bitcoin, according to blockchain forensics company Chainalysis.
A person claiming to have perpetrated the hack said they had spotted a “bug,” without specifying, and that they wanted to “expose the vulnerability” before others could exploit it, according to digital messages posted on the Ethereum network published by Chainalysis. Reuters could not verify the authenticity of the messages.
Where did the money go?
As of late Wednesday, the hackers had returned $342 million (roughly Rs. 2,540 crores) of the assets, Poly Network said, but $353 million (roughly Rs. 2,620 crores) was outstanding. It is unclear where the remaining assets have gone.
Coindesk reported on Tuesday that the hackers had tried to transfer assets including tether tokens from one of the three wallets into liquidity pool Curve.fi, but that transfer was rejected. About $100 million (roughly Rs. 740 crores) has been moved out of another of the wallets and deposited into liquidity pool Ellipsis Finance, Coindesk also reported. Curve.fi. and Ellipsis Finance could not immediately be reached for comment.
Who is the hacker?
The hacker or hackers has not yet been identified.
Cryptocurrency security firm SlowMist said on its website that it has identified the attacker’s mailbox, internet protocol address, and device fingerprints, but the company has not yet named any individuals. SlowMist said the heist was “likely to be a long-planned, organised and prepared attack.”
Despite the purported hacker posing as a so-called “white hat”, an ethical hacker who aimed to identify the vulnerability for Poly Network and had “always” planned to give the money back, according to the messages published by Chainalysis, some crypto experts are skeptical.
Gurvais Grigg, chief technology officer at Chainalysis and former FBI veteran, said it was unlikely that white hat hackers would steal such a large sum. He said they had probably returned some of the funds because it had proved too difficult to convert them into cash.
“It’s hard to know the motivation … Let’s see the if they return the whole amount,” he added.