Poly Network Attack: Hacker Exploits Cross-Chain Bridge, Affects 57 Cryptocurrencies Worth Millions

The recent attack on the cross-chain bridge platform Poly Network has sent shockwaves through the crypto community.

The hacker managed to manipulate a smart contract function, creating billions of tokens out of thin air and affecting 57 different crypto assets on various blockchains.

On July 2, Poly Network became the latest victim of a decentralized finance (DeFi) exploit when attackers took advantage of a smart contract vulnerability.

The exploit allowed the hacker to craft a malicious parameter with a fake validator signature and block header, bypassing verification processes.

This enabled the hacker to issue tokens from Poly Network’s Ethereum pool to their own address on different chains, including Metis, BNB Chain, and Polygon.

The extent of the attack was massive, with the hacker’s wallet briefly holding around $42 billion worth of tokens.

However, they were only able to convert and steal a fraction of this amount, thanks to liquidity issues in some tokens. PeckShield, a DeFi security analyst, reported that at least $5 million worth of crypto was transferred out by the exploiter.

#PeckShieldAlert @PolyNetwork2 exploiter has transferred more than $5M worth of cryptos out on #Ethereum, #BNBChain, and #Polygon, especially 1.5K $ETH ($2.88M) to 0x23f4…c671, 440 $ETH ($844K) to 0xc8Ab…C42F, and 300 $ETH (~$575K) to 0xfD3E…b778https://t.co/EbYdTo3xIg… pic.twitter.com/I5Lg9UJ0eU

— PeckShieldAlert (@PeckShieldAlert) July 2, 2023

Poly Network acted swiftly to address the attack, temporarily suspending its services to investigate the incident. The platform’s team promptly communicated with centralized exchanges and law enforcement agencies, seeking their assistance in resolving the issue.

Additionally, they advised project teams and tokenholders to withdraw their liquidity and unlock liquidity provider tokens.

Blockchain security solutions provider Dedaub aptly dubbed the attack as the “34 billion Poly Network hack.” The firm highlighted weaknesses in the protocol’s multisig system, which featured a simple “3 of 4” multisignature arrangement for over two years. The compromise of private keys to these addresses enabled the hacker to execute the attack.

Getting to the bottom of the "34 billion" Poly network hack with a technical postmortem.

TL ; DR

Poly network had a simple 3 of 4 multisig arrangement over 2 years!

Looking at the final event we found that the private keys to the addresses marked were compromised. pic.twitter.com/Y0eMJXcYso

— Dedaub (@dedaub) July 2, 2023

Binance CEO Changpeng Zhao assured Binance users that the attack did not impact their funds, as the platform does not support deposits from the affected network. This statement brought some relief to Binance users concerned about the security of their holdings.

TagsCrypto