Dissecting Poly Network Hack: What Really Happened

Disclaimer: I'm showing an alternative perspective considering an inside cyber attack. I will support my hypothesis with several fact-based arguments while trying to stay objective.

The Poly Network cyberattack, recorded as the largest hack of all time in the cryptocurrency market, saw $611 million worth of Bitcoin.

The network is a cross-chain bridge connecting Ethereum, Binance Smart Chain, and Polygon Network. The attack produced a host of catchy headlines and more than one version of what happened, some of which contradict each other. But there are still more questions than clear answers.

A PR stunt or a cyber attack?

The Poly Network hack happened through a vulnerability exploit in the interchain bridges built by Poly Network. This has been provided in the report by cybersecurity firm SlowMist.

The BlockSec cybersecurity firm has offered a version of the hack in which the hacker got hold of a key that enabled him to sign cross-chain transactions using the Poly Network bridges or found a bug in Poly Network’s smart contract that allowed him to generate his own transactions.

After the hack, the cybersecurity firm SlowMist published a report where it revealed its understanding of the vulnerability in Poly Network that was exploited by the hacker and how he did it.

The firm states that the hacker was able to substitute the keeper of the ‘

EthCrossChainData

 through the

EthCrossChainManager

contract by calling the

putCurEpochConPubKeyBytes

function of the

EthCrossChainData

contract’.

And the

EthCrossChainManager

contract can execute user-specified cross-chain transactions ‘by calling the

executeCrossChainTx

function internally.

So, the hacker changed the keeper of the

EthCrossChainData

contract and gained the ability to sign user-specified cross-chain transactions.

The BlockSec cybersecurity firm offered a different version of the hack, which sees the hacker getting hold of a key to the smart contract that enabled him to sign cross-chain transactions by using the valid PolyNetwork transaction-signing keys.

The company made that statement because the attacker provided a valid message to the function

verifyHeaderAndExecuteTx

of the

EthCrossChainManager

and the

onlyManagerContract

modifier in the

LockProxy

smart contract was not bypassed.

Both these vulnerabilities would be very hard to pin down, and getting the signing keys could not be done without them being either leaked or given to the hacker. This latter version provided by BlockSec makes the version of an inside attack all the more plausible.

Here we should note that the hacker returned all of the stolen funds and made a statement that his goal was not to steal the funds but to warn the project of the existing threat.

The synergy of the biggest hack and all of the stolen funds being disclaimed by the hacker caused a massive PR effect for Poly Network, with its name doing rounds across all of the blockchain media and many mainstream outlets, might raise more eyebrows.

It has also been said in the SlowMist report that the hacker might have decided to return the funds due to the credentials he used on the China-based cryptocurrency exchange Hoo.com being linked with his real identity. The hacker used the exchange to withdraw 0.47 ETH to pay for the gas in the attack.

But in response to that, the hacker responded that he had used multiple anonymization instruments, and his identity could not be revealed. This makes the argument of his fear of prosecution as the motive for returning the funds less trustworthy and gives more reason to believe that the company’s management might have been involved.

How to fight cyber threats in DeFi?

The biggest problem with the security of decentralized protocols in DeFi is their architecture of smart contracts. Many protocols use more than one smart contract, and when a single smart contract can have a bug, several pose more cyber threats to a protocol. In order to build a safe, decentralized protocol, close attention should be paid to the security of the entire system.

In order to minimize these risks, the modular approach can be the go-to thing. It means that the whole system is built of blocks that can be replaced on their own without compromising the system’s operation.

This approach works well in data-processing centers where blade servers and routers are installed. However, when it comes to decentralized software, it is a totally different thing, where the adaption of the modular approach can present a new challenge. However, having the ability to tweak certain things in a decentralized protocol without affecting others can be a good solution to fixing bugs fast and efficiently.

It is also important for the developers to be well familiar with the Solidity programming language that remains the only one for the Ethereum Virtual Machine so far. Lapses in the knowledge of Solidity can also be the reason for bugs in Ethereum-based smart contracts.

A technical audit can eliminate most of the threats and vulnerabilities in smart contracts, and more attention should be given to the reliability of the code.

In this regard, double-checking should be one of the basic things as employing the services of more than one auditor will increase the chances of making your DeFi platform hack-proof. Anyway, technical audits should be adopted as a must for all DeFi projects as only a systemic approach to security can make DeFi safe and allow the industry to develop and grow.

What have we learned from the Poly Network hack?

The evidence shows that there is a strong chance that the signing keys have been leaked or obtained by the attacker, with the company getting some positive PR as the funds have been returned to the users. But currently, it is impossible to make a definite judgment as inside evidence would be needed to find out the truth.

If Poly Network management was involved behind the scenes, it would be gullible to expect them to come clean as they would have to then deal with unpleasant consequences.

But one lesson learned from this incident is that DeFi investors must do due diligence when selecting the project to allocate their capital in. And the project teams should be prioritizing security for the industry to become a safer place.