Around 600 million US dollars in stablecoins have been stolen from the "PolyNetwork" DeFi protocol. This is the largest hack of a DeFi application to date. It is currently unclear what enabled the exploit, but the hacker has promised to return the funds.
PolyNetwork is a protocol for exchanging tokens across multiple blockchains, including Bitcoin, Ethereum and the Binance Smart Chain (BSC). It was formed by an alliance between the teams behind several blockchain platforms such as NEO and Ontology. Not to be confused with the Ethereum scaling project Polygon.
Over $600 million in digital assets were moved by the hacker to 3 different addresses before he tried to sell them. Quickly, PolyNetwork asked the miners of the affected blockchain and crypto exchanges to blacklist tokens from the attacker's addresses. In response, Tether froze 33 million USDT, and Binance, OKEx, and Huobi executives also took appropriate action. As a result, the hacker realized that it would be almost impossible to convert the entire amount. Thus, he decided to send the funds back to the protocol.
What happened in the first place?
After some speculation - from an inside job to a weak private key - PolyNetwork apparently found the cause in a vulnerable function in the smart contract. Through a carelessly designed feature, the hacker was able to unlock $600 million and send it to his own address.
After preliminary investigation, we located the cause of the vulnerability. The hacker exploited a vulnerability between contract calls, exploit was not caused by the single keeper as rumored.
— Poly Network (@PolyNetwork2) August 10, 2021
Blockchain security company SlowMist announced that they have already tracked down the identity of the attacker. The company claims to know his email address, IP information and the fingerprint of the device. This is not entirely impossible, as some of the PolyNetwork hacker's wallets show DeFi activity and had interactions with centralized exchanges, where he may have gone through identification processes.
Communication with the attacker
The fact that the attacker cannot simply get rid of looted crypto assets of this amount was already foreshadowed. However, a certain Ethereum user gave the attacker a tip inside of a transaction. This happened after Tether, the company behind the largest stablecoin USDT, put his address on their blacklist.
"DON'T USE YOUR USDT TOKENS. YOU'RE BLACKLISTED." - Anonymous Ethereum user
To which the attacker thanked the account with a transaction of 13.37 ETH. In response, various other wallet addresses interacted with the hacker. Many transactions included messages to the attacker. From congratulations to destroyed life stories to begging letters.
Hacker admits his mistake
After further tips from various addresses, it turned out that the attacker was not very familiar with the Ethereum blockchain. In three transactions to himself, which can be publicly viewed in Block Explorer, he asked for various advice. Apparently, however, the hacker came to the conclusion that it was not worth all the trouble.
"READY TO RETURN THE FUNDS! I NEED A SECURED MULTISIG WALLET FROM POLYNETWORK." - Hacker in two Ethereum transactions
So, the attacker agreed to return the stolen tokens. Once the PolyNetwork team provides an address, this transaction should also be publicly viewable. The incident once again highlights the interplay between decentralization and centralized trading points. Converting a stolen amount in the millions from the blockchain world into fiat money is nearly impossible in most cases.
