The Poly Network Hack: Who to Blame?

Table Of Content

Share:

Introduction

On August 10, 2021, the cross-chain platform Poly Network was attacked, resulting in assets worth over $600M being stolen.

Poly Network is an interoperability protocol that allows different heterogeneous blockchains to work with each other on one platform. By hacking into the Poly Network platform, the attacker was able to drain funds from more than one blockchain. Ethereum, Binance Smart Chain, and Polygon were targeted in the attack.

After the attack, Poly Network attempted to negotiate with the hacker via a naive statement released on Twitter, urging him to return the assets he had stolen. Interestingly enough, the hacker actually responded to the negotiation by creating embedded messages within Ethereum transactions- taunting the Poly Network team for their negligence. After publishing several messages on the blockchain (including a Q&A session where the hacker essentially interviews himself), the attacker went on to return most of the stolen funds. 

The unusual trajectory of this incident begs the question of where to place the blame in these kinds of attacks. Many (including the attacker himself) argue that a cross-chain protocol like Poly Network should have never had this kind of vulnerability to begin with, and that it is their responsibility to provide their users with the kind of security to prevent this from happening.

Before we discuss this further, let us first break down the details of the actual hack that took place.

The Hack

The Poly Network defines itself as “built to implement interoperability between multiple chains in order to build the next generation internet infrastructure”. In simple terms, it is a collection of smart contracts that allow transactions to take place between different blockchains. A user could, for example, use Poly Network to transfer tokens from the Ethereum blockchain to the Binance Smart Chain.

Like most cross-chain projects, Poly Network had a privileged contract that determined when to trigger messages between the blockchains. This contract was named as EthCrossChainManager and contained an important function known as verifyHeaderAndExecuteTx. This function did three things: 

  1. Verified the header of the block.
  2. Used a Merkle proof to check whether the transaction was a part of the block.
  3. Called another function named executeCrossChainTx which executes the target contract.

You can think of the EthCrossChainManager as the “boss” of the DeFi platform, deciding the execution of contracts after verifying the header of the block and the transactions within it. EthCrossChainManager is the keeper of another contract, called EthCrossChainData. This contract stored important information such as cross-chain data as well as the public key of the Keeper. The EthCrossChainData contract worked as an accountant to the boss, i.e EthCrossChainManager, storing important cross-chain information.

One major flaw in the design of the executeCrossChainTx function within the EthCrossChainManager was that it did not have a check preventing it from executing the EthCrossChainData contract- all it did was check if it was a contract.

The attacker exploited this vulnerability and passed a carefully crafted sighash to the verifyHeaderAndExecuteTx, which subsequently called the executeCrossChainTx function. This function then executed the EthCrossChainData contract’s function putCurEpochConPubKeyByte, a method which was used to store the address of the keeper.

By doing this, he was able to change the keeper of the EthCrossChainData contract to an address of his own (i.e, convince the accountant that his boss was someone else).  The attacker could then create transactions at will and withdraw any amount of funds from the contract. As the keeper was now modified, all other normal transactions on the chain were then reverted.

Aftermath

By the time the Poly Network community had discovered that assets had been compromised, over $600m worth of funds had been stolen. They then published the accounts which held the stolen assets, urging members of the blockchain community to blacklist tokens coming from them. Cryptocurrency firm Tether went on to freeze $33 million USDT connected with the hack as well.

Soon after, Poly Network released a statement on Twitter urging the hackers to return the assets they had stolen. The statement, beginning with “Dear hacker” was quickly met with ridicule for its naive approach to solving the problem- coming off as more of a desperate plea rather than the beginning of a negotiation.

The attacker was also an interesting case, going on to taunt the Poly Network team for their carelessness. Several transactions were discovered on the Ethereum blockchain via Blockchain explorer included messages which were from the hacker’s address. There was even a Q&A included in these messages in which he discussed his motives behind the attack, claiming it was just “for fun” and that he wasn’t interested in the money- his only goal was to make Poly Network “learn something from these hacks”.

As of 13 August, almost all of the funds have been returned. All that is left is the $33 million USDT frozen by Tether.

Takeaways for the Blockchain Community

What was essentially the biggest hack in the history of cryptocurrency became a valuable lesson on the importance of security and just how powerless big organizations can become in the face of powerful hackers.

The transparent nature of smart contracts can make it very easy for someone to exploit them, while at the same time be a roadblock preventing them from cashing in their loot. Many believe the motivation for returning the stolen assets may have stemmed from this fear, instead of the more noble reason the attackers had painted. However, this is questionable in itself regarding the core philosophy of anonymity that blockchain stands on. If the fear of being tracked led the attackers to return their money, is this technology really anonymous?

Figuring out where to place the blame in these kinds of incidents is also difficult. Online, the hacker was met with great admiration for the feat he had achieved, supporting him in his views of this being the result of Poly Network’s negligence. At the same time, the assets that had been stolen were of the general public and the attacker had no right to take them away.

Regardless of whose fault it was, the key lesson put forth by this incident is that of security. This hack greatly established the importance of designing the architecture of your code. In this case, the hacker was able to steal millions of dollars worth of funds due to a design flaw that should have been taken care of.

We can no longer afford to cut corners in ensuring our smart contracts are rock-solid in every way- the likelihood of losing more than can be borne is far too big.

Poly Network got lucky this time, though there can be no guarantee of a favorable outcome in the next hack.

References

https://github.com/polynetwork/eth-contracts

More Audits

ZeroLiquid Protocol - Audit Report

BlockApex (Auditor) was contracted by ZeroLiquid (Client) to conduct a Smart Contract Audit/ Code Review. This document presents the findings of our analysis, which started on 11th July ‘2023.

The Big Fuzz Theory: The Dark Fuzz Rises

Learn how Fuzz Driven Development (FDD) transforms software testing by assisting programmers and testers in overcoming prejudices for improved code quality, security, and performance.

Beanstalk Hack Analysis & POC (Apr 17, 2022)

Beanstalk protocol got hacked for around $74M through exploiting the governance mechanism & stealing all the BEANS & Curve LP tokens stored in the Beanstalk protocol.

Lightlink Bridge - Audit Report

BlockApex (Auditor) was contracted by LightLink (Client) for the purpose of conducting a Smart Contract Audit/ Code Review. This document presents the findings of our analysis, which started on 12th June ‘2023.

Achieving Security In Blockchain Part One: Outlining The Problem

A major pillar of blockchain technology is transparency. This means that any system built on blockchain is by definition public- a fact that introduces an entirely new set of vulnerabilities and threats. As a result, cleverly orchestrated hacks on blockchain solutions are not an uncommon feat. Even the biggest names in the field continue to suffer from attacks, resulting in losses equating to millions of dollars. 

Unipilot V2 Final Audit Report

Unipilot is an automated liquidity manager designed to maximize ”in-range” intervals for capital through an optimized rebalancing mechanism of liquidity pools. Unipilot V2 also detects the volatile behavior of the pools and pulls liquidity until the pool gets stable to save the pool from impairment loss.

BonqDAO - February 3, 2023

The BonqDAO security breach that occurred on February 2, 2023, had far-reaching consequences for the platform, its users, and the wider DeFi ecosystem. The attack exploited a vulnerability in the integration of the Tellor Oracle system, which BonqDAO relied on for obtaining token price information.

KaliDAO Audit Report

BlockApex (Auditor) was contracted by KaliCo LLC_ (Client) for the purpose of conducting a Smart Contract Audit/Code Review of KaliDAO. This document presents the findings of our analysis which took place from 20th of December 2021

Off-Chain Security: A Rising Reason For Recent Hacks?

An off-chain transaction deals with values outside the blockchain and can be completed using a lot of methods. To carry out any kind of transaction, both functioning entities should first be in agreement, after that a third-party comes into the picture to validate it.

1 2 3 10
Designed & Developed by: 
All rights reserved. Copyright 2023