Hackers pulled off the biggest ever cryptocurrency heist on Tuesday,
stealing $613 million in digital coins from token-swapping platform Poly
Network, only to return $260 million worth of tokens less than 24 hours later,
the company said. Here's what we know so far about the heist.
WHAT IS POLY NETWORK?
A lesser-known name in the world of crypto, Poly Network is a
decentralized finance (DeFi) platform that facilitates peer-to-peer
transactions with a focus on allowing users to transfer or swap tokens across
different blockchains.
For example, a customer could use Poly Network to transfer tokens such
as bitcoin from the Ethereum blockchain to the Binance Smart Chain, perhaps
looking to access a specific application.
It was not immediately clear from Poly Network's website where the
platform is based or who runs it. According to specialist crypto website
Coindesk, Poly Network was launched by the founders of Chinese blockchain
project Neo.
HOW DID HACKERS STEAL THE TOKENS?
Poly Network operates on the Binance Smart Chain, Ethereum and Polygon
blockchains. Tokens are swapped between the blockchains using a smart contract
which contains instructions on when to release the assets to the
counterparties.
One of the smart contracts that Poly Network uses to transfer tokens
between blockchains maintains large amounts of liquidity to allow users to
efficiently swap tokens, according to crypto intelligence firm CipherTrace.
Poly Network tweeted on Tuesday that a preliminary investigation found
the hackers exploited a vulnerability in this smart contract.
According to an analysis of the transactions tweeted by Kelvin Fichter,
an Ethereum programmer, the hackers appeared to override the contract
instructions for each of the three blockchains and diverted the funds to three
wallet addresses, digital locations for storing tokens. These were later traced
and published by Poly Network.
The attackers stole funds in more than 12 different cryptocurrencies,
including ether and a type of bitcoin, according to blockchain forensics
company Chainalysis.
A person claiming to have perpetrated the hack said they had spotted a
"bug," without specifying, and that they wanted to "expose the
vulnerability" before others could exploit it, according to digital
messages posted on the Ethereum network published by Chainalysis. Reuters could
not verify the authenticity of the messages.
WHERE DID THE MONEY GO?
As of late Wednesday, the hackers had returned $260 million of the
assets, Poly Network said, but $353 million was outstanding. It is unclear
where the remaining assets have gone.
Coindesk reported on Tuesday that the hackers had tried to transfer
assets including tether tokens from one of the three wallets into liquidity
pool Curve.fi, but that transfer was rejected. About $100 million has been
moved out of another of the wallets and deposited into liquidity pool Ellipsis
Finance, Coindesk also reported.
Curve.fi. and Ellipsis Finance could not immediately be reached for
comment.
WHO IS THE HACKER?
The hacker or hackers has not yet been identified.
Cryptocurrency security firm SlowMist said on its website that it has
identified the attacker's mailbox, internet protocol address, and device
fingerprints, but the company has not yet named any individuals. SlowMist said
the heist was "likely to be a long-planned, organized and prepared
attack."
Despite the purported hacker posing as a so-called "white
hat", an ethical hacker who aimed to identify the vulnerability for Poly
Network and had "always" planned to give the money back, according to
the messages published by Chainalysis, some crypto experts are skeptical.
Gurvais Grigg, chief technology officer at Chainalysis and former FBI
veteran, said it was unlikely that white hat hackers would steal such a large
sum. He said they had probably returned some of the funds because it had proved
too difficult to convert them into cash.
"It's hard to know the motivation ... Let's see the if they return the whole amount," he added.
0 Comments