After almost two years, Poly Network experiences déjà vu as hackers strike again.
Poly Network, a cross-chain bridge platform, became the latest victim of the Decentralized Finance (DeFi) exploit. During the attack, malicious actors fabricated billions of tokens for profit.
The incident, which transpired on July 2nd, saw the hackers manipulate a fundamental function of the smart contract, allowing them to issue non-existent tokens on the network.
Did you know?
Want to get smarter & wealthier with crypto?
Subscribe - We publish new crypto explainer videos every week!
What is Ripple? Beginner-Friendly XRP Explainer (Animated)
By utilizing the smart contract loophole, hackers transferred tokens from Poly Network's Ethereum pool to their addresses on several other chains.
The technique applied was as straightforward as it was devious. It involved creating a false parameter loaded with a counterfeit validator signature and block header.
As a result, the hackers bypassed the usual verification protocols, thereby initiating the minting process for these illicit tokens. Moreover, they replicated this process across several chains, amassing a substantial token collection.
Among the affected networks were prominent blockchains such as Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKx, and Metis, among others.
Analytics from Peckshield suggests the attacker siphoned off at least $5 million in crypto assets. Despite the ambiguity surrounding the precise stolen amount, the attackers' wallets held an estimated $42 billion in tokens at one point, as noted by DeFi security analyst @0xArhat.
However, the successful conversion and theft of these tokens were inhibited by one primary obstacle - liquidity. A liquidity shortage made it challenging for the attacker to monetize the large stash of fabricated tokens. This shortage was particularly apparent for tokens like Binance Coin (BNB) and Binance USD (BUSD) on the Metis blockchain.
In contrast, liquidity was found for a few other illicitly minted tokens, enabling the attacker to exchange a significant token volume. It is believed that the attacker traded 94 billion Shiba Inu (SHIB) tokens for 360 Ether (ETH), 495 million Cook (COOK) for 16 Ether, and 15 million RioDeFi (RFuel) for 27 Ether.
After the incident, the Poly Network took immediate action to stop the move of stolen funds. They've initiated communications with centralized exchanges and law enforcement agencies. In addition, they've advised the stakeholders of affected projects and token holders to unlock their LP tokens and withdraw liquidity.
Security provider Dedaub has subsequently named this exploit the "34 billion Poly Network hack." The company was critical of the protocol's simplistic "3 of 4" multi-signature arrangement and delayed response, which likely contributed to the breach. Dedaub emphasized that this was not a sophisticated attack as no logic bugs were exploited.
This isn't the first instance Poly Network fell prey to such an attack. The platform was compromised for $600 million in August 2021, marking a record in the crypto industry.
The attack is a stark reminder of the vulnerabilities within the blockchain ecosystem, particularly concerning cross-chain bridges.
