A Tale of Two Hacks: Poly Hacker Bows Out, Liquid to Restore Operations
In the aftermath of the recent hacks that targeted interoperability protocol Poly Network and Japanese crypto exchange Liquid, both entities are signalling efforts to restore their operations, as well as freeze and return the stolen assets. Amidst all that, Poly Network’s hacker has apologized “for the inconvenience,” returned the final private key, and bowed out.
BELIEVE IT OR NOT, I HAVE NEVER CONSIDERED THE SHARED WALLET AS THE “HOSTAGE” FOR RANSOM. AS YOU MAY HAVE NOTICED, I HAVE POURED YOUR BOUNTY AND MY COMPENSATION FUND FROM DONATIONS INTO THE SHARED MULTISIG WALLET. NOT SURE IF IT’S CONVENIENT, BUT DISTRIBUTING THE EXTRA ASSETS TO THE “SURVIVORS” WOULD BE THE LAST REQUEST FROM THIS MAN.
In their message in a zero-ETH transaction to Poly’s wallet, they have added that he was trying to “contribute to the security of the Poly project in [his] personal style” and that the incident should be a lesson to the entire DeFi community.
They have also published the final key to unlock the multisig wallet in which the funds are kept, and signed the message, “YOUR CHIEF SECURITY ADVISOR” in a nod to the offer the project had made them for the position.
Furthermore, the cross-chain pools of USDT, ETH, and BTC-pegged “will be gradually re-opened regarding the refund progress of Poly Network,” the network tweeted.
The attacker has been offered the position of Chief Security Advisor on the team, as previously reported. They agreed to return the stolen assets, and in return, Poly Network has provided them with a ETH 160 bounty (currently nearly USD 531,495).
“We are still expecting to restore services gradually early next week,” Liquid said in a statement on August 22.
“So far, we became aware of nine more addresses by the unauthorized party,” they said, adding that they will be continuing to monitor the movement of funds with the support of other exchanges and partners.
In total, USD 91.35m worth of crypto assets were moved out of Liquid wallets, of which USD 16.13m of ERC-20 assets have been frozen in cooperation with the crypto community and other exchanges, the exchange said.
“69 different crypto assets were misappropriated and sent to other exchanges or DeFi swapping venues,” according to Liquid.
George Zarya, CEO at digital asset prime brokerage and exchange BEQUANT, said in an email that the latest hacks show the prevailing vulnerabilities of the crypto industry.
Per Zarya, these hacks tell us three things:
- the industry has not yet worked out how to properly protect these assets from hackers, adding that “we know that most of the hacks are related to human error and may be facilitated by someone on the inside”;
- for retail, there may be more flow shifting to decentralised exchanges as retail investors feel they have more control that way;
- for the institutional community, its time to go back to its roots and apply the same rules which govern settlement in the traditional market infrastructure space, including post trade settlements and with smart contracts replacing central counterparty clearing.
“There is more innovation ahead and we are seeing shifts in clients’ perception and more demand for post-trade settlement,” according to Zarya.
Laurin Bylica, Co-founder of DeFi infrastructure project The Standard Protocol commented that an increasing frequency of such hacks could scare off some traders and crypto users, among others, because of a lack of an efficient insurance mechanism.
“However, this is not particularly a downfall of the crypto space, as hacks also happen every day in the world of fiat money. We often hear that hackers steal the data of millions of credit cards without sparking a bad news cycle,” she said, adding:
“The difference is that the damages get covered by insurance companies, which results in high credit card fees. While credit card users can hardly protect themselves when shopping online, cryptocurrency users can move their funds off exchanges into cold storage, making their crypto assets unreachable for hackers.”