The cross-chain bridge platform Poly Network fell victim to a major attack, resulting in a hacker being able to generate billions of tokens for profit on July 2. The exploit involved manipulating a smart contract function on the platform’s cross-chain bridge protocol, leading Poly Network to temporarily suspend its services. The attack affected 57 different crypto assets across 10 blockchains, including Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKx, and Metis.
Although Poly Network did not specify the exact amount stolen in the attack, it was reported that the hacker transferred at least $5 million worth of cryptocurrencies. In response to the incident, Poly Network initiated communication with centralized exchanges and law enforcement agencies, seeking their assistance in resolving the issue. The project team also advised other project teams and token holders to withdraw liquidity and unlock their LP tokens.
According to a DeFi security analyst, the exploit was a result of a smart contract vulnerability that allowed the hacker to craft a malicious parameter containing a fake validator signature and block header. This parameter was accepted by the smart contract, bypassing the verification process and enabling the hacker to issue tokens from Poly Network’s Ethereum pool to their address on other chains, such as Metis, BNB Chain, and Polygon. This process was repeated across multiple chains, resulting in the accumulation of a significant token stash.
Poly Network hack
At one point, the hacker’s wallet held approximately $42 billion worth of tokens, but they were only able to convert and steal a fraction of that amount. The attack has been called the “34 billion Poly Network hack” by blockchain security solutions provider Dedaub, highlighting weaknesses in the protocol’s multi-signature arrangement. Dedaub discovered that the private keys to the compromised addresses were compromised, emphasizing the need for more robust security measures.
Dedaub also noted that the attack was not complex and did not exploit any logic bugs. However, Poly Network’s response to the attack was criticized for being slow, taking seven hours, and resulting in a cost of $5.5 million in stolen crypto. Fortunately, a lack of liquidity in many of the tokens prevented further losses.
Binance CEO Changpeng Zhao reassured customers that the attack would not affect Binance users, as they do not support deposits from the Poly Network. This incident marks the second major attack on Poly Network, with the previous one occurring in August 2021, where hackers linked to the North Korean hacking collective, the Lazarus Group, made off with over $600 million.
