Poly Network overlooked a serious security vulnerability resulting from a weak multisig arrangement that allowed an attacker to hack the system and mint tokens.
Yesterday, Poly Network, a global cross-chain protocol, shocked its users with news about a new attack on its system. According to Web3 cybersecurity firm PeckShield, the bridge platform, which was the victim of a $610 million exploit in 2021, has now lost at least $5 million as a result of the latest hack.
"Dear users, we would like to inform you that Poly Network is temporarily suspending its services due to a recent attack. We are actively engaging with relevant parties and diligently assessing the extent of the affected assets," Poly Network informed its users in a tweet yesterday, calling on cybersecurity experts for assistance.
"To minimize further risks, we have reached out to the majority of project teams and urged them to promptly withdraw liquidity from decentralized exchanges," Poly Network shared the information about its actions with its Twitter community, asking owners of affected assets "to expedite the process of withdrawing liquidity and unlocking their LP tokens."
Initial reports of the attack mentioned 57 affected cryptocurrencies on ten blockchains, including Ethereum, BNB Chain, Polygon, Avax, Genesis, Fantom, Optimism, and Arbitrum.
The initial estimate of losses was a staggering total of $34 billion, however, as per Dedaub, the cybersecurity firm that was one of the first to discover the exploit, "the actual realized amounts were far smaller, due to most of the tokens being illiquid." According to the Poly Network Affected Assets report, the hacker minted 2.03 trillion tokens that did not previously exist.
"99 million BNB and 10 billion BUSD were issued on Metis, 999.8 trillion SHIB was issued on Heco; 87,500 COW, 999 million OOE, 636 million STACK, 88.6 million GM were issued on Polygon; 378 million STACK, 82.8 million XTM, 11 million SPAY, issued 89 million GM on Avax; 8 million METIS, 926 million DOV, 978 million SLD, and other assets were issued on BSC," DeFi analyst Arhat cited statistics from Chinese crypto reporter Colin Wu.
In a tweet, Arhat added, "At one point, the hacker’s wallet held over $42 billion worth of tokens (on paper) immediately following the hack." Yet, "despite the magnitude of this hack, the hacker was only able to convert a small portion of these tokens SHIB, COOK, RFuel into ETH, which was worth about $400,000 in total," Arhat explained.
News of the recent attack on Poly Network has left many in the crypto community wondering how the protocol failed to address its vulnerabilities after the previous hack, which had been considered the largest cryptocurrency hack in history before the 2022 Ronin Network exploit that caused $625 million in losses.
Although it appeared that the previous event brought the Poly Network's attention to the cybersecurity problem and the protocol joined the white-hat platform Immunefi with a bug bounty of $100,000 for critical vulnerabilities, the problems have still not been fixed.
The multisig arrangement mentioned by Dedaub refers to the protection of cryptocurrency with multiple signatures, all of which are required to complete a transaction. All signatures use different cryptographic private keys, and Dedub believes that in Poly Network's case, these were either stolen or misused. The company stresses that, while no logical flaws in the smart contracts were exploited, the hacker manipulated proofs and signatures, which was not a complicated task considering the fairly limited number of holders.
Dedaub’s investigation revealed that the attack targeted the "unlock" feature, which affects the cross-chain management contracts that facilitate token transfers between different chains. This allowed the attacker to retrieve tokens from the original chain.
"It is common for decentralized protocols to employ 'keepers,' i.e., external systems controlled by the development team that feed vital information to the smart contracts. This is sometimes necessary since smart contracts cannot operate autonomously and need to be invoked externally. What is less common, however, is to rely on 3 keepers for the end-to-end security in a high TVL cross-chain bridge," Dedaub further breaks down the protocol’s vulnerabilities in its blog post, highlighting the detrimental effects caused by Poly Network's slow response to the attack. According to Dedaub, it took the platform seven hours to react to the hack, which allowed the attacker to "orchestrate several transactions on multiple chains."
Meanwhile, representatives of some of the blockchains affected by the hack hastened to reassure their users that the systems’ work is in no way affected by the attack.
Mudit Gupta, CISO of Polygon Labs, tweeted yesterday, "Poly Network has NOTHING to do with Polygon," adding that such attacks will keep happening "until the industry changes our approach to security."
Binance's CEO Changpeng Zhao also commented on the incident, saying, "This does not affect users. We do not support deposits from this network. Our security team is assisting them in its investigations though."