Cross-Chain DeFi Site Poly Network Hacked; Hundreds of Millions Potentially Lost
Cross-chain decentralized finance (DeFi) platform Poly Network was attacked on Tuesday, with the alleged hacker draining roughly $600 million in crypto.
Poly Network, a protocol launched by the founder of Chinese blockchain project Neo, operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tuesday’s attack struck each chain consecutively, with the Poly team identifying three addresses where stolen assets were transferred.
At the time that Poly tweeted news of the attack, the three addresses collectively held more than $600 million in different cryptocurrencies, including USDC, wrapped bitcoin, wrapped ether and shiba inu (SHIB), blockchain scanning platforms show.
Subscribe to , By signing up, you will receive emails about CoinDesk products and you agree to our terms & conditions and privacy policy
“We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses,” the Poly team tweeted.
The $600 million figure would place the Poly Network hack among the largest in crypto history.
Tether froze approximately $33 million in relation to the hack, Tether CTO Paolo Ardoino tweeted.
About one hour after Poly announced the hack on Twitter, the hacker tried to move assets including USDT through the Ethereum address into liquidity pool Curve.fi, records show. The transaction was rejected.
Meanwhile, close to $100 million has been moved out of the Binance Smart Chain address in the past 30 minutes and deposited into liquidity pool Ellipsis Finance.
The Poly team could not be reached for comment at the time of publication.
Poly Network was the second Chinese interoperability protocol to be featured on the government-backed Blockchain-based Service Network.
Anatomy of an exploit
BlockSec, a China-based blockchain security firm, said in an initial attack analysis report that the hack may be triggered by the leak of a private key that was used to sign the cross-chain message.
But it also added that another possible reason is a potential bug during Poly’s singing process that may have been “abused” to sign the message.
According to another China-based blockchain security firm, Slowmist, the attackers’ original funds were in monero, a privacy-centric cryptocurrency, and were then exchanged for BNB, ETH, MATIC and a few other tokens.
The attackers then initiated the attacks on Ethereum, BSC and Polygon blockchains. The finding was supported by Slowmist’s partners, including China-based exchange Hoo.
“Based on the flows of the funds and multiple fingerprint information, it is likely a long-planned, organized, and well-prepared attack,” Slowmist wrote.
In a response to the attack, a spokesperson from Binance Smart Chain told CoinDesk that as a “decentralized” blockchain, protocols and users on BSC need to take security measures “extremely seriously.”
“We are aware of the Poly exploit that has affected Ethereum, Polygon and BSC users,” the spokesperson said. “Recently, several trustless bridges have become victims of such critical attacks and we recommend security audits and necessary due diligence prior to interacting with any projects.”
The spokesperson said BSC is currently working with its security partners to provide as much support as possible to the ongoing investigation.
The Poly Network incident shows how nascent cross-chain protocols are particularly vulnerable to attacks. In July, cross-chain liquidity protocol Thorchain suffered two exploits in two weeks. Rari Capital, another cross-chain DeFi protocol, was hit by an attack in May, losing funds worth nearly $11 million in ETH.
“As evidenced by all the exploits we’ve seen, cross-chain is a very hard area … with the added complexity of connections with every other chain and all their idiosyncrasies,” Ryan Watkins, a research analyst at blockchain data firm Messari, said.
UPDATE (Aug. 10, 14:30 UTC): Adds information about the wallet addresses and Tether’s move.
UPDATE (Aug. 10, 14:54 UTC): Adds information about funds moving out of the Binance Smart Chain address.
UPDATE (Aug. 10, 17:36 UTC): Adds comments from Slowmist and Messari.
“DeFi” crime hits record high in first 7 months of 2021 -CipherTrace
NEW YORK (Reuters) - Losses from theft, hacks, and fraud in “decentralized finance” or DeFi, a thriving segment in the cryptocurrency sector, hit an all-time high in the first seven months of the year, a report from crypto intelligence company CipherTrace showed on Tuesday.
FILE PHOTO: Representations of cryptocurrencies Bitcoin, Ethereum, DogeCoin, Ripple, Litecoin are placed on PC motherboard in this illustration taken, June 29, 2021. REUTERS/Dado Ruvic/Illustration
But losses from crime in the overall cryptocurrency market dropped sharply to $681 million at the end of July, compared to $1.9 billion for the whole of 2020 and $4.5 billion in 2019.
The drop in crypto crime overall reflected the industry’s growing maturity and much-improved security infrastructure, investors said.
The DeFi sector, on the other hand, registered criminal losses of a record $474 million from January to July.
DeFi applications, many of which run on the Ethereum blockchain, are financial platforms that enable crypto-denominated lending outside of traditional banks.
“It shouldn’t come as a surprise that as the DeFi ecosystem expands, so are DeFi crimes,” Dave Jevans, CipherTrace’s chief executive officer, said in an email to Reuters.
“Just eight months into 2021 and DeFi hacks, thefts, and frauds have already surpassed the total DeFi crimes from 2020. This means regulators around the globe are paying closer attention to DeFi specifically.”
The value locked - the total number of loans on DeFi platforms - was $80.4 billion on Monday, down from $86 billion in mid-May, DeFi Pulse data showed, but up more than 600% from $11 billion in October last year.
There are two types of DeFi crimes: the hack of a DeFi protocol by outsiders, or a “rug pull” by insiders, CipherTrace said. A “rug pull” occurs when crypto developers abandon a project and run away with investors’ money.
The majority of DeFi crimes in 2021 appear to have been conducted by outsiders as hacks, making up $361 million, or 76%, of all DeFi-related crime. The remaining 24% are rug pulls tallying over $113 million at the end of July.
Last Friday, the U.S. Securities and Exchange Commission said it charged lender Blockchain Credit Partners and two of its top executives for raising $30 million through allegedly fraudulent offerings. The case is the SEC’s first involving securities in the DeFi space.
Biggest DeFi Hack? PolyNetwork Exploited for $600M in ETH, BNB, and USDC
The interoperability protocol PolyNetwork has been exploited on Binance Smart Chain, Polygon, and Ethereum. The perpetrators have set a record within the decentralized finance space by swiping more than $600 million from at least three wallet addresses.
Earlier on August 10th, PolyNetwork announced on its Twitter account that it had experienced a security breach.
Important Notice:
We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s following addresses:
ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71 — Poly Network (@PolyNetwork2) August 10, 2021
The team behind the project indicated that assets stored on Binance Smart Chain, Ethereum, and Polygon had been transferred to other addresses belonging to the hackers.
The ETH address , which has already been reported to be involved in the hack, currently contains 2,858 ETH tokens with a value of $266,5 million.
The Binance Smart Chain wallet has more than 6,610 BNB tokens. The value in USD terms represents just a bit over $252 million.
Lastly, the Polygon address shows $85 million. Ultimately, the total amount stolen exceeds $600 million as of writing these lines.
PolyNetwork also urged cryptocurrency exchanges to blacklist any tokens coming from these addresses.
Additionally, the team promised to “take legal actions” and asked the hackers to return the stolen funds.