Recently, there has been a lot of buzz about the theft of $610 million in assets from the cross-chain interoperability protocol organization Poly Network by hackers. As of the latest report on the 24th, the hacker has returned all $610 million in assets (except for $33 million in USDT that was frozen). Poly Network has now decided not to pursue legal action against him and intends to hire him as the company’s chief security advisor.

Event Review

On August 10, Poly Network announced that it had been attacked by hackers who exploited a vulnerability in its systems and stole thousands of digital tokens, including Ether, for a total value of $613 million in stolen crypto assets.

Poly Network Twitter affirms:

Important notice: We regret to announce that #PolyNetwork was attacked by @BinanceChain, @ethereum and @0xPolygon

Assets have been transferred to the following addresses of the hackers. ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 and BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8037.B32

After Poly Network then issued an ultimatum to the attackers to “establish contact and return stolen assets” and warned them that they would otherwise be pursued by law enforcement agencies in various countries, they began returning some of the cryptocurrency they had stolen.

Meanwhile, Tether’s chief technology officer, Paolo Ardoino, tweeted that Tether had frozen about $33 million worth of Tether coins stolen by the hackers.

On August 11, approximately $260 million worth of cryptocurrency was returned to Poly Network’s address, including $256 million in BSC, $1 million from Pliygon, and $3.3 million from Ether.

On August 12, Poly Network posted on Twitter that the hackers had returned about a third of the stolen funds, totaling $260 million.

On Aug. 17, Poly Network also said it had decided not to pursue the attacker as he had returned most of his digital assets. In addition, he was hired as the company’s chief security advisor.

This is the whole story of this incident. In a follow-up report, a hacker who claimed to be involved in the “coin theft” attack said that he wanted to expose the vulnerability before others used it, and why he did it was for “fun”.

Event Analysis

Poly Network is a cross-chain organization launched in August 2020 by Neo, Ontology and Switcheo Foundation as the founding members and Distribution Technology as the technology provider. The organization uses a uniquely designed heterogeneous chain and cross-chain bridge technology to control the cross-chain by deploying smart contracts on the source chain, claiming to be the world’s leading “lightweight” heterogeneous chain cross-chain interoperability protocol.

For this incident, the security team in the industry also gave their insights: this may be a long-planned, organized and prepared attack. The reasons for the analysis are as follows.

According to the information provided by Poly Network, the hackers began to return some of the cryptocurrency they had stolen only after Poly Network issued an ultimatum to the hackers to “establish contact and return the stolen assets” and warned them that they would be hunted down by law enforcement agencies in various countries.

The attackers involved in the incident then sent Poly Network a message embedded in a cryptocurrency transaction stating that they were “ready to return” the funds. Poly Network then responded by asking them to send the cryptocurrency to three addresses.

As a result, industry analysts say, “Combining the flow of funds and multiple fingerprints reveals that the source of the funds was Monroe (XMR), which was switched to BNB/ETH/MATIC on the exchange and withdrawn to three addresses, and then the attack was launched on three chains”, or possibly “Since the cross-chain contract keeper was modified to the hacker’s address, the attacker could construct a transaction to withdraw any amount of money from the contract at will”. This attack, therefore, was intentional.

According to the latest analysis by security firm BlockSec, the reason for the attack on Poly Network may be that “the private key used for cross-chain signing was leaked or there was a logical flaw in the signing process that led to the signing of the attacked transaction”.

Event Alert

According to industry analysis, there were very few incidents against cross-chain attacks in the industry before that. But in the five security incidents that emerged in the short time since, a total of more than $17 million has been lost. It can be seen that cross-chain attacks have increased significantly and hackers seem to have started targeting the cross-chain protocol ecosystem.

Also belonging to the NEO ecosystem, O3, one of the cross-chain protocols with the largest lock-in, has previously seen multiple organized attacks against other cross-chain protocols. However, these attacks have not raised enough alarm from Poly Network, which is really mind-boggling.

In recent years, Poly Network, which has continued to make efforts in the field of DeFi, has also started to become a target of attacks. In this regard, industry research analysts said, “The interoperability between DeFi protocols has become increasingly complex, thus opening up new attack vectors and will become more frequent in the future.”

The “coin theft” of Poly Network by hackers is said to be the most serious security incident in the history of the DeFi (decentralized finance) industry. The hackers used a vulnerability in Poly Network’s code to transfer digital assets to themselves.

The U.S. financial regulators are now very concerned about DeFi, and the U.S. SEC has charged the first DeFi case and may increase its efforts to deal with the incident, which is believed to have triggered a global regulatory crackdown on DeFi.

Just now, Poly Network also expressed its feelings about the lost and found assets, “To date, Poly Network has regained control of $610 million (not including the frozen $33 million in TEDA) in assets. We would like to thank Mr. Wyatt Hart once again for fulfilling his promise, as well as the community, partners and multiple security agencies for their help.”

In this Poly Network “coin theft” case, the hacker has returned most of the digital assets, and although Poly Network has also said that it will not pursue the case, it is the most serious security incident in the field so far, and the impact on the whole industry is unprecedented. We believe that the NEO ecosystem and the DeFi industry will pay attention to such incidents in the future and have a more secure prevention mechanism to jointly combat illegal attacks and maintain the positive development of the industry ecosystem.