Recent Polygon Hack

The Binance Smart Chain, Ethereum, and Polygon blockchains are used by Poly Network. In what is the largest defi breach in history, the latest attack hit each chain in turn, totaling over $600 million (ETH $273 million, BSC $253 million, and Polygon $85 million, respectively).

Poly Network, a cross-chain defi network, was hacked on August 10th, 2021, with the claimed hacker stealing about $600 million in cryptocurrency. The astronomical amount represented the largest hack in the defi history. Polynetwork publicly announced on their twitter account regarding the incident as seen below:

The Poly team was able to locate three addresses. On the Ethereum, Binance Smart Chain, and Polygon blockchains, it provided three wallet addresses which can be seen below:

Poly Network put out a plea for the stolen Ethereum, BinanceChain and OxPolygon tokens to the hackers by trying to work out a solution.

The address is made to be public and can be accessed just by knowing their addresses. By clicking on the hacker’s address on BSC, the hacker’s wallet can be seen below:

The hacker attempted to shift assets including USDT through the Ethereum address into liquidity pool Curve.fi around an hour after Poly reported the attack on Twitter, according to the records. The transaction was rejected.

ASK ME ANYTHING (AMA) WITH HACKER

According to the Q&A below, the hacker claims to have spent time on the Poly Network seeking weaknesses to attack. The attacker chose to breach the platform and reveal Poly Network’s fragile security framework after discovering a flaw and unsure whether they could trust anyone within the platform’s team. On the Ethereum blockchain, the hacker posted a three-page ‘ask me anything’ (AMA) in which he/she/they appear to have performed a self-interview about the hack.

How did they do it?

The Binance Smart Chain, Ethereum, and Polygon blockchains are used by Poly Network. Tokens are transferred across blockchains using a smart contract that specifies when the assets should be released to the counterparties. According to Kalvin Fitchner, an Ethereum programmer, the hackers appeared to have overridden the contract instructions for each of the three blockchains, diverting money to three wallet addresses, which are digital locations for tokens. Poly Network was eventually able to track them down and publish them. The attackers stole funds in more than 12 different cryptocurrencies, including ether and a type of bitcoin, according to blockchain forensics company Chainalysis.

· The “EthCrossChainManager” contract belongs to Poly. It’s essentially a privileged contract with the ability to send messages to a different chain. It’s a rather common occurrence in cross-chain initiatives.

· Anyone can call the function verifyHeaderAndExecuteTx to conduct a cross-chain transaction. It basically (1) checks signatures to ensure that the block header is valid.

· The target is important because it keeps track of the list of public keys that authenticate data coming from the other chain. In other words, if the list can be modified, there is no need to hack the private keys. The public keys are match to the hackers own private keys.

· The hacker realized that they could send a cross-chain message directly to the EthCrossChainData contract, which is owned by the EthCrossChainManager. The only remaining challenge was to figure out how to make the EthCrossChainManager call the right function.

· The first four bytes of transaction input data is called the “signature hash” or “sighash” for short. It’s a short piece of information that tells a Solidity contract what you’re trying to do.

· The sighash of a function is calculated by taking the first four bytes of the hash of “<function name>(<function input types>)”. For example, the sighash of the ERC20 transfer function is the first four bytes of the hash of “transfer(address,uint256)”.

· Poly’s contract was willing to call any contract. However, it would only call the contract function that corresponded to the following sighash:

· No private key compromise is required as crafting the right data would see the contract hacking itself.

Where did they Store the Stolen Funds?

The hackers started transferring assets back to Poly Network into a wallet which both parties controlled. By Thursday afternoon, the hackers had returned nearly all of the assets, with just $33 million tokens that were frozen earlier by cryptocurrency platform Tether left outstanding, Poly Network said.

The hacker or hacker(s) that was responsible has yet to be discovered. The robbery was most certainly a well-planned, well-executed heist, according to crypto security specialists. It went on to say that it was still in contact with the hackers, referring to them as “Mr. White Hat”, an ethical hacker who strives to uncover flaws so they may be addressed.

Mr. White Hat Gets a Reward

Mr. White Hat started with about $260 million worth of digital assets and on August 23rd, gave Poly Network access to the last tranche of stolen digital assets in their wallet, worth about $141 million. Poly Network’s rewarded Mr. White Hat in the form of about $500,000 (160 ETH), which was transferred to his Ethereum wallet which he made public. He also received an “invitation” for Mr. White Hat to become its Chief Security Advisor. The company also stated it had no intention to hold the hacker legally accountable.

Poly Network went from losing more than half a billion dollars to achieving international fame not just for being the victim of the world’s greatest cryptocurrency theft, but also for retrieving all of the assets, in just two weeks. Furthermore, the firm chose to let go of the past and not pursue legal action against the hacker, instead offering them a top security position and $500,000 in compensation.

Related posts:

Siapa yang tidak kenal dengan Pramoedya Ananta Toer? Pria yang akrab disapa Pram ini merupakan sastrawan terkenal dari Indonesia. Pria yang lahir di Blora, 6 Februari 1925 ini telah menciptakan lebih…

Try as we might to avoid them, some emotions continue to creep up on us and pay us an uninvited visit — fear, anger, jealousy, embarrassment, resentment, scarcity. They are all part of life and…

This course is something that I should have taken in a way that I met a lot of wonderful and amazing people. I appreciate every conversation we shared and what we talked about. It was precious. This…