crossroadsbonn
On August 10, unknown persons hacked the Poly Network inter-network protocol and stole $611 million in various cryptocurrencies. The project team called on the exchanges to block the stolen funds. “We regret to inform you that the Poly Network has been attacked on the Ethereum, […]
SecurityOn August 10, unknown persons hacked the Poly Network inter-network protocol and stole $611 million in various cryptocurrencies. The project team called on the exchanges to block the stolen funds.
“We regret to inform you that the Poly Network has been attacked on the Ethereum, Binance Smart Chain and Polygon networks. We urge the miners of the affected blockchains and crypto exchanges to blacklist tokens coming from the above addresses,” the project team wrote.
According to preliminary estimates, the attackers stole $273 million in the Ethereum network, $253 million in the Binance Smart Chain network and $85 million in the USDC in the Polygon network. Funds in the tokens WBTC, WETH, RenBTC, DAI, UNI, SHIB, FEI and others were affected. The hack was the largest in the history of the DeFi segment.
“We are aware of the Poly Network exploit. Although no one controls BSC (or ETH), we coordinate with our security partners to actively help. We do not give guarantees, but we will do everything in our power,” CZ said.
On August 11, an unknown attacker who hacked the Chinese Poly Network firewall protocol the day before announced his intention to return $611 million stolen as a result of the attack. This is reported by CoinDesk. The hacker embedded the statement in an Ethereum transaction, […]
NewsOn August 11, an unknown attacker who hacked the Chinese Poly Network firewall protocol the day before announced his intention to return $611 million stolen as a result of the attack. This is reported by CoinDesk.
The hacker embedded the statement in an Ethereum transaction, which he sent to himself around 07:00 Moscow time. In another message, he wrote that he could not contact Poly Network and asked for a multi-signature wallet address to return the funds.
The hacker added that he had already become a “legend” after carrying out the largest hack in the history of DeFi and the industry as a whole.
Poly Network approved the analysis of cybersecurity experts from SlowMist, who called the reason for the hack an exploit in the protocol’s cross-chain functions. The Chinese company BlockSec suggested that the attack occurred as a result of a private key leak.
Blockchain consultant Maya Zehavi pointed out the unexplored Chinese sector of decentralized finance.
Developer Kelvin Fichter analyzed in detail the mechanism of the attack on the Poly Network inter-network protocol, as a result of which the hacker withdrew $ 611 million in various cryptocurrencies. According to him, in order to move assets between blockchains, Poly Network requests […]
Hidden network
Developer Kelvin Fichter analyzed in detail the mechanism of the attack on the Poly Network inter-network protocol, as a result of which the hacker withdrew $ 611 million in various cryptocurrencies.
According to him, in order to move assets between blockchains, Poly Network requests transaction confirmations based on the signature of validators. The attacker rewrote the code to authenticate transactions alone.
Fichter found out that Poly Network has a privileged EthCrossChainManager contract, which has the right to launch messages from another chain.
To perform a cross-chain transaction, the protocol uses the verifyHeaderAndExecuteTx function. It can be called by any user. It verifies the correctness of the block header, the signature, and the inclusion of the transaction in the block.
The function also invokes the EthCrossChainData target contract. According to the expert, the critical drawback is that all users had access to this action through the cross-chain mechanism.
“This contract keeps track of a list of public keys that authenticate data coming from another chain. If you change this list, the hacker will not have to crack the private keys,” he said.
“By sending a cross-chain message, the user can trick EthCrossChainManager into calling the EthCrossChainData contract by passing the onlyOwner check. Now the user just needs to create the correct data to run a function that changes public keys,” the analyst explained.
Later, in order to force EthCrossChainManager to call the correct function, the hacker forged the first four bytes of incoming transaction data, the so-called signature hash or signature hash.
Thanks to this, the hacker did not need to compromise the private key. He just created the right data and “the contract hacked itself.”
“One of the most important design lessons to be learned from this is: if you have such internetwork relay contracts, make sure that they cannot be used to invoke special contracts. If a contract needs such special privileges, make sure that users cannot invoke special contracts through inter–network messages,” Fichter said.
The expert also suggested that the hacker sent a message from the Ontology network to make the attack harder to track.
Andrey Sobol, a researcher of consensus protocols, stated in a ForkLog comment that an attack on the Poly Network became possible due to a bug in the smart contract.
“Conceptually, the bridge was built in much the same way as bridges in other internetwork protocols. The problem is in the implementation,” he said.
In his opinion, Fichter’s version describes the most plausible reason for hacking.
Recall that the hacking of the Poly Network inter-network protocol occurred on August 10. In total, the attacker withdrew $611 million from the Ethereum, Binance Smart Chain and Polygon networks.
On August 11, the hacker announced his readiness to return the stolen funds. The project team has created three wallets for this purpose.
Later, they received $1 million in USDC, $1.1 million in BTCB token, $2 million in Shiba Inu and $622,243 in FEI stablecoin.
The organizer of the attack on the Chinese Poly Network firewall protocol reimbursed all $85 million stolen from the Polygon network. Previously, he had already returned all $253 million from the Binance Smart Chain. Later, the hacker began transferring funds from the Ethereum blockchain. The […]
HelpfulThe organizer of the attack on the Chinese Poly Network firewall protocol reimbursed all $85 million stolen from the Polygon network.
Previously, he had already returned all $253 million from the Binance Smart Chain.
Later, the hacker began transferring funds from the Ethereum blockchain. The Poly Network wallet has already received over $4.5 million in various tokens.
At the time of writing, the remaining part of the stolen cryptocurrency worth $268 million is on the attacker’s Ethereum wallet: 28,954 ETH, 96,942,062 DAI, 1032 WBTC and 33,431,234 USDT.
Recall that on August 10, the Poly Network inter-network protocol was attacked on the Ethereum, Binance Smart Chain and Polygon blockchains. The cumulative damage amounted to $611 million in various cryptocurrencies. Some of the stolen funds, for example in USDT, were blocked.
The project team has created three wallets for this purpose. Experts have suggested that one of the reasons for the refund was that the hacker lit up personal data.
Earlier, developer Kelvin Fichter analyzed in detail the mechanism of the attack on the Poly Network.
The expert explained the mechanism of large-scale hacking of Poly Network for $ 611 million
Subsequently, the attacker admitted that he was hacking for fun, and chose Poly Network because hacking cross-chain protocols is “hot”.
Hackers attacked the crowdfunding platform DAO Maker. According to PeckShield analysts, unknown persons withdrew more than $7 million in USD Coin (USDC) stablecoins from the platform. The attackers withdrew the deposits of some DAO Maker users to the USDC and converted them into Ethereum. This […]
Anonymity OnlineHackers attacked the crowdfunding platform DAO Maker. According to PeckShield analysts, unknown persons withdrew more than $7 million in USD Coin (USDC) stablecoins from the platform.
The attackers withdrew the deposits of some DAO Maker users to the USDC and converted them into Ethereum. This data is confirmed by the Etherscan observer, according to which there are more than 2261 ETH (~$7 million at the exchange rate at the time of writing) on the address allegedly belonging to hackers.
Stablecoins could be converted into ETH in order to prevent the USDC issuer — the Centre consortium — from freezing assets.
In the DAO Maker Telegram channel, the project administration reported that it was aware of “problems with deposits.” Users were assured that the incident affected only the depository smart contract – DAO tokens and assets in the stake are safe.
During the day, users repeatedly reported missing deposits. The representative of the project, Paul Ujah, asked to refrain from speculating on the hacking of the depository contract. The administration of the channel has disabled the ability to leave messages in it.