Legendary Hacker: the White Hat into the Rescue

By xuanling11 | Crypto Learning | 20 Aug 2021


This article is after my previous Crypto Hacking, and this article is very long! Just a warning.  

This legendary hacking journey starts with a little-known Poly Network.

Nobody knows what Poly Network is until the hacking incident that is the biggest in hacking history.

b6ce80b7f26306767783e7bb33365818859a9219fe3fb2ae8153f62f6ceded8e.jpg

What is Poly Network?

It is a platform to connect all and provide cross-chain services.

Similar to crypto exchange platforms where you can find all cryptocurrencies, the Poly Network provides one place for all solutions for blockchain to interconnect so that crypto can move one chain to another without going through a conversion process (crypto exchange platform).

Poly Network is a Layer 3 solution that using Dapp and builds a bridge on the top of each blockchain so that every crypto can transfer to each blockchain seamlessly.

From its white paper, it functions just like Defi without tokens to facilitate the transaction.

 

Where does the Poly Network come from?

It is a project that NEO founded in 2020 to explore an interoperability protocol that connects each blockchain to provide services.

 

The benefit of using the Poly Network

There are no benefits of using the Poly Network and concentration of cross-chain assets prone to security breaches.

Yeah, you hear it. No benefit at all because it is a middleman to provide a mix of services that may be violated in the future if assets got mixed up or laundry-like activities.

Even though the white paper claimed so many advantages, none of the benefits to distinguish between trade in the crypto exchange and cross-chain platform.

Well, it is good to have one.

 

The Mr. White Hat

6bdaa1a57f9ba763cb2fa20b7e1918094b6939f47e80d8bb1a7b22044b598e30.jpg

Just two months when Poly Network announced its assets accumulation hit s $700 million, it got hacked and made one of the most losses in the history of a total of $600 million losses with different cross cryptocurrencies.

c0ac71f2c27be7492dedadeff8d4cc2c983230daf3f79cc6c69ef6967fff4867.jpg

e9bb074ac77f792cd4c247c6a87f5d979beefd13ee05b271f8dbedce01e12d10.jpg

 

Poly Network, not to mention it is a Chinese-backed Defi project that pools with lots of Chinese investors.

However, it doesn’t make the technology less competitive than other nations, and it is created equally.

Then Mr. White Hat, the hacker, just broke the code and took the money out for “fun.”

455ca7bbfeee5704ff53fc5c3265e1bc533e66492994e283a11c16b383f04dc7.png

Defi communities were shocked

Everyone was scratching their heads and wondering how hacking happened?!

 

Vulnerability of middleman services 

I mentioned that hacking always happened when someone else handled your funds but not from your wallet.

The key factor distinguishing between your wallet to send funds to others is that you give up the execution function when service providers acting as your agent do so.

In contrast, when you send funds from your wallet, you will likely verify which party will accept your funds.

In crypto exchange or alike, you hand off your execution right to the middleman that serves you.

Decentralized asset runs on the top of centralized Defi services.

 

Reddit users point out the code deficiency

u/publius-varus pointed out that there was a code deficiency that makes Poly Network vulnerable to hackers.

36a5cd44c7330b008d7d044abe8ee6c964de3bade187db0eb48e77b9817ec3f7.png

u/CPlusPlusDeveloper then clarify that Poly Network makes signed transaction from chain A to chain B simply copy and paste without validation process.

You can bypass the critical validation process by overwriting authority on the top of the administration — a pretty standard hack method in the Windows operating system or any program that had administration over-right codes.

b722655bbc98d41f15dae55a49371447c9af547867f20d82f6681f3ff450fc4e.png

This is one possible hack.

dc89a59b222ac70a38c4bee3d88618de406360b0d374f6e66a5ec9815cd75c33.png

Mismanage the access right of Poly smart contract

Similarly, the second possible hack method is to exploit the smart contract

Again, by exploiting the privily access right of the intelligent contract without validation process, one can modify the code to overwrite the privilege.

First, overwrite EthCrossChainData to decide which user receives the fund.

Second, execute the transaction through EthCrossChainManager to trigger the transaction without even compromise the private key.

 

Missing core security cryptographic step

The key of cryptocurrency is unhackable because of its private critical validation process. Unfortunately, Defi and any Dapp built on top of the blockchain did not have such a mechanism. 

This essential step slows down the network process, and by finding a scalability solution, a developer may have to make a trade-off.

However, security may not be traded off as the result of massive hacking.

 

The rest of the story becomes legendary

Mr. White Hat did not intend to own the funds but return within 24 hours just for fun. 

Here are the complete stories of Q&A:

be0897a95fb5c4bba19c9998f76972fd159cb19a7d39786a2ff1929b8dc20159.jpg9c2897562a7c932f5038d9b66048bd186bab30b46331b935391a66ff5bd7e74f.jpg9cef6376cf9f64a6618e5ab2db67022c8303b71cd6c4325aec249851d63ba699.jpg9496a3f832eb141498d005704296f505544c96b230024ddf4cfe792a770d7af9.jpgce8ca4bbccc0ef93efab547c0010e21b58e58bc574d52ae0dbe6d37c5f7a2967.pngf37a1eda6ebbffff3f6c922240ba9717d2e17ddc839e8c865eef853a566deb3f.png0c1596f61eaec452ddfead127220a5d28e0d568c391c87d31b74a7a6f168cbb1.png166dae7560474cae9a1343cbea902c3c63b123e69665cd4b5a742e9d3fe6b3a8.png5d6761544cc47e20b4006480b07710051161ac275fa113c643783f161478ce9a.jpgb95fa85e4e8da435200f657421f433d0a5ebb0b581d7003784d07568665bcea9.jpgcc74526686570bf8d78b5f24d6aeff106c5a4e7bfc22628180785eb833bc94d0.jpg261fef4b5e05e6079e519a76b71127677e68915b39b29d89e8a2dfca78bbf258.jpg

As Mr. White Hat explains his hack on Part 8 about Cross Chain Manager Proxy that can easily bypass.

Offering a job to a hacker

Therefore, Mr. White Hat got a job offer of $500,000 bounty and the title of Chief Security Officer.

ccbb6b3b58a6ddd73fd7547b56b53863b1d51b38408a52b273a7918da00a7d0a.jpg

In conclusion

This article demonstrates a fraction of Defi’s security concerns and how future hackers may continue to attack Defi or any crypto projects to exploit funds.

We may not be fortunate to have another Mr. White Hat return total funds without authorities to enforce the legal processes.

 

Photo by Max Bender on Unsplash

Related articles:
Stablecoin is Not So Stable
CBDC: Stablecoin 2.0 or Stablecoin Killer
Chinese CBDC: the Ultimate Financial Weapon or Just another Copycat
DeFi Swap: Great Returns come with Great Cost
CBDC vs Cryptocurrency: the War of Privacy
Inflation vs. Bitcoin: How Speculation to Hedge Inflation has Failed in Short Term but may Create Opportunity in Long Term
Game of Three Kingdoms: CBDC vs. Cryptocurrency vs. TechCoin
Gold vs. Bitcoin: Digital Twin or Enemy
Volatility of Bitcoin: Threat or Opportunity
Lesson Learn from Robinhood IPO: Era of Crypto Exchange Comes to an End or a New Beginning?
Hypothetically, What if the Fed Fails to Control Inflation, Will Crypto Save Us?!
Stablecoin: We Ever Need Them More Than CBDCs
China FUD: Are We Done Yet?
SEC vs. Ripple: the Endless Game of War
SEC vs. Defi: What is the goal of the Defi?
City Coins: Are they the Era of New Coins?
Ethereum London Hardfork: How Hard does It Actually Fork?
Did the U.S. government just thumbs up on Bitcoin and down on Ethereum after the London Hardfork?
The End of Era for Crypto Exchange Platform?!
NFT: Digital Solution or Delusion?
NFT: The Future of Gamers' Assets
Is Bitcoin Untraceable Anymore?! It Depends!
Why Crypto Got So Political Suddenly: The Beginning Tale of Government Crypto Surveillance Program
Where are We Position Crypto at : the Problem with Money and Wealth
Crypto Hacking: How Did it Really Happen?
Bitcoin Mining Recover?! The Chinese vs. The U.S Strategy of Blockchain
The Legendary of Shitcoin: Meme to the 🌓 or Unique of 💎 or Simply just 💩
Defi: A Rainbow 5-Layers Cake
Crypto Economy: the Untold Speculative Financial System We will Live?
Red Alert: Lesson Learns from the Nearly Cashless Nation
Jack Dorsey’s Ambitious: Twitter wants to Become a Place of Freedom of Speech
What Categories Does Bitcoin Belong to or Does it Really Matter?
Quantum Financial System: The System Lost Itself in Quantum World
Doge 2.0: Who Let The Dog Out?!
-------------------------------------------------------------------------------------
Disclosure: I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it. I have no business relationship with any company whose cryptocurrencies are mentioned in this article. This information is only for educational

How do you rate this article?

9


xuanling11
xuanling11

Check out https://www.xuanling11.com/.


Crypto Learning
Crypto Learning

All article was written by a delusional author who is possibly a nut job without any questions whatsoever about expertise in the subject matters.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.