Poly Network Exploiter Starts Returning the Funds, Asks For Donations
The hacker of the decentralized finance (DeFi) interoperability protocol Poly Network, that just lost over USD 600m, first asked the protocol for a multi-signature (multisig) wallet to return the funds - and has started returning it.
According to Tom Robinson, the chief scientist and co-founder of the blockchain data tracker Elliptic, USD 258m has been returned so far, while the hacker "is also asking for donations, as a reward for doing the right thing."
After seemingly having some fun with messages asking if a community vote should decide on where the stolen funds should go, the attacker wrote "READY TO RETURN THE FUND!" - as it stands in the comment attached to a transaction executed by the address marked as 'PolyNetwork Exploiter'. It's not clear, however, if the hacker was planning on returning all the stolen funds.
But then this confusing soup of a situation thickened.
Poly Network had already posted a letter to the hacker threatening them with law enforcement and stating that the money they took in "the biggest [hack] in the [Defi] history" belongs to the people.
And despite apparently wanting to return the funds hours later, in another transaction, the hacker said: "FAILED TO CONTACT THE POLY. I NEED A SECURED MULTISIG WALLET FROM YOU."
Later today, the protocol shared the addresses to which the funds can be returned.
As reported, Poly Network suffered a massive exploit yesterday, seeing the attacker taking off with more than USD 600m. The attack happened on Binance Smart Chain (BSC), Ethereum (ETH), and Polygon (MATIC).
The address on Etherscan, marked as "reported to be involved in a PolyNetwork exploit," contains USD 183m worth of ERC-20 tokens at the time of writing. Polygonscan shows more than USD 85m, and the BscScan address has around USD 133m.
It is still not clear what exactly happened behind this hack. There are even opinions that it was inside job, though many disagree.
The blockchain security specialist Xiamen SlowMist Technology wrote that "the core of this attack is that the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute specific cross-chain transactions through the _executeCrossChainTx function." The attacker replaced the address of the keeper role, constructed a transaction at will, and was able to withdraw any amount of funds from the contract.
Similarly, researcher Kelvin Fichter opined that there is a "critical flow" in Poly Network contract called the 'EthCrossChainManager'.
El Doggo Diablo later added that "the processes have gotten much better since 4 [years] ago."
Meanwhile, there are reports that quite a few individuals and funds in China, where this and related projects are said to be popular, have been affected by the hack. Investor Michael Gu (a.k.a. 'Boxmining') claimed to have been a victim himself, stating that there is nothing he can do about it now.
"The Poly Network hack shows that while cross-chain tech is certainly progressing, it appears to be two steps forward and one step back. Most beta launches are disclaimed such that sending large amounts to un-audited smart contracts is ill-advised by the protocol teams. Still, many investors can’t wait to barge through the gates in order to do a quick 10x flip," Kay Khemani, Managing Director at Spectre.ai, a broker-less trading platform, said.
"The crypto world has two philosophical camps. The Bitcoin world moves slowly and cautiously with an emphasis on security. The other camp has embraced a "move fast and break things" approach. The most obvious examples of this are in the frequent hacks we hear about - Bitcoin DeFi has yet to experience any such hacks," Edan Yago, Contributor to the Bitcoin-based Defi protocol Sovryn, said in an emailed comment.
According to him, the difference goes even deeper, with many projects outside of Bitcoin sacrificing decentralization and opening the door to capture by elites.
'Send me money'
Nearly immediately post-attack, there appeared quite a few of those who were sending messages and/or congratulating the hacker, in hopes that they'd get a tip.
Such comments on Etherscan seem to have been marked as spam. Some still remain though. For instance, Omaz Z Khan said: "Dude, just get all the cryptopunks that you can. SPARE me some eth or just one punk :) Il be indebted."
"Pls airdrop some fund to us, we are suffering year long due to COVID, thanks in advance," said 'meow chia'. User 'chanlaka' wrote a longer post, stating that they lost their parents and are only left with their ill younger sister for whom they need to pay the hospital bills.
'SumYungGuy' shared a larger post on, basically, how to get away with the money.
"bro just airdrop to all help all people!," simply wrote 'justin wong' who took a more egalitarian approach to the situation.
It even seems that many people have decided to send the attacker bits of their ETH or other currency with messages, apparently hoping to get a lot more in return. "i sent you a tiny bit of matic maybe itll get your attention :/ please change my life," commented 'TheBluntsLit,' who has written quite a few praises.
And the person who was reported to have received an ETH 13.37 (USD 42,930) tip, seems to have had some fun as well.
- South Korean Politician: North Has Stolen USD 310M in Crypto Since 2019
- Another Two Binance Smart Chain Projects Suffer Flash Loan Attacks
(Updated at 15:15 UTC with the latest data about the returned funds. Updated at 15:21 UTC with additional comments. Updated on August 12, 10:21 UTC: a quote by El Doggo Diablo was clarified as a previous statement "that the crypto space suffers from "an extreme lack of software security processes"" was not accurate.)