More details are being revealed after the July 2 attack on multi-chain bridge platform Poly Network, which resulted in a hacker being able to issue billions of tokens out of thin air for profit.
on July 2 on Twitter, Polly Network Certain It became the latest victim of a DeFi exploit after attackers managed to manipulate smart contract functionality on the cross-chain bridging protocol, adding that services would be temporarily suspended.
In a recent update, the team revealed the impact of the exploit on 57 crypto assets on 10 blockchains — including Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKx, and others like Metis.
It did not specify the amount stolen in the attack but Picshield earlier mentioned That the exploiter has transferred at least $5 million in cryptocurrency.
“We’ve already begun reaching out to centralized exchanges and law enforcement agencies and asking for their help,” the team stated in a July 3 update.
It also advised project teams and token holders to withdraw liquidity and open LP (Liquidity Provider) tokens.
“34 billion” Poly network hack
DeFi Security Analyst @0xArhat He said The exploit was the result of a vulnerability in the smart contract that allowed the hacker to “forge a malicious parameter containing a fake validator signature and block header.”
This was accepted by the smart contract which enables the hacker to bypass the verification process allowing them to issue tokens from the Poly network’s Ethereum pool to their own address on other chains, such as Metis, BNB Chain and Polygon.
The process was repeated for other chains enabling the token inventory to accumulate.
The analyst said that at one point, the hacker’s wallet contained approximately $42 billion in tokens, but he was only able to transfer and steal a small portion of it.
“In this way, hackers were able to mint billions of tokens on several block chains that did not exist before and transfer them to their own wallet addresses.”
Dedaub, a blockchain security solutions provider, called the latest Poly Network exploit the “34 billion Poly Network hack.”
Getting to the Bottom of the “34 Billion” Poly Network Hack Through a Technical Anatomy of Death.
Poly Network had a 3 of 4 minor multimedia arrangement over the course of 2 years!
Looking at the last event, we found that the private keys of the specified addresses were compromised. pic.twitter.com/Y0eMJXcYso
– Didube (Dedube) July 2, 2023
Didube pointed out weaknesses in the protocol’s multi-signature stating that it had a simple “3 out of 4” multi-signature ranking over two years, adding:
“Looking at the last event, we found that the private keys of the specified addresses were compromised.”
Didube explained that the attack was not complex as no logical errors were exploited. It added that PolyNetwork was slow to respond and took seven hours, costing the platform $5.5 million in stolen cryptocurrency. Fortunately, the lack of liquidity in many tokens prevented further losses.
Related: More than $204 million was lost to DeFi scams and scams in the second quarter
After the attack, Binance CEO Changpeng Zhao reassured customers, Mentionsed that “This does not affect Binance users. We do not support deposits from this network.”
Poly network got the rkt again; Pretending to hack hotkeys.
This will continue to happen until our industry changes our approach to security.
Smart contract audits are only scratching the surface.
Note Poly Network has nothing to do with Polygon. https://t.co/n1qI48b4Kb
– Mudit__Gupta (@Mudit__Gupta) July 2, 2023
Cointelegraph reached out to Polly Network for more details but did not receive a response at the time of publication.
The Poly network was attacked once before in one of the industry’s biggest exploits in August 2021 when hackers were later revealed to be linked to the North Korean collective Lazarus, where they stole more than $600 million.
The Journal: Tornado Cash 2.0: The Race to Build Safe and Legal Coin Mixers