Poly Network Got Robbed of More Than USD 600M
Interoperability protocol Poly Network has confirmed that it has suffered a major exploit - losing at least USD 600.3m of its funds.
"We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the [provided] addresses," said Poly Network, providing three addresses to which it says the assets have been transfered.
"We will take legal actions and we urge the hackers to return the assets," it then added.
No additional information has been provided by the team behind the protocol as of yet.
What can be seen from the addresses is that:
- Polygonscan shows USD 84.93m worth of USD Coin (USDC);
- BscScan shows USD 251.68m in Binance-pegged tokens, ETH, USDC, binance USD (BUSD), among others;
- Etherscan shows nearly USD 264.4m of ETH, USDC, tether (USDT), and other ERC-20 tokens.
That is the total of USD 601m - which some say just may be the largest attack the space has ever seen.
Tether has reacted already and frozen c. USD 33m of USDT.
In a message embedded in an ETH transaction, the alleged hacker said:
"IT WOULD HAVE BEEN A BILLION HACK IF I HAD MOVED REMAINING SHITCOINS! DID I JUST SAVE THE PROJECT?
NOT SO INTERESTED IN MONEY, NOW CONSIDERING RETURNING SOME TOKENS OR JUST LEAVING THEM HERE"
Binance CEO Changpeng Zhao tweeted that "no one controls BSC (or ETH)" but that the Binance team is "coordinating with all our security partners to proactively help, adding: "There are no guarantees. We will do as much as we can." Others, however, ask if it is not possible to control the stablecoin BUSD nonetheless.
The blockchain security specialist Xiamen SlowMist Technology wrote in a social media post on the Weibo platform that
it had identified the hacker’s email details, their IP address, and their “device fingerprints.”
SlowMist claimed that it had analyzed data from its Hoo crypto exchange affiliate, as well as other exchanges, and discovered that the hacker had made use of monero (XMR), later moving to trade these for binance coin (BNB), ETH and MATIC.
The company added that the hacker had moved to withdraw the coins to three separate wallet addresses before following up swiftly with a three-chain attack.
And SlowMist concluded that the attack bore all the hallmarks of a carefully “planned, organized and well-prepared” operation.
The firm, which is based in Xiamen, claims to have been “founded by a team with over 10 years of front-line cybersecurity defensive experience,” and that its security team was still investigating more “vulnerability”-related issues and technical details uncovered in the wake of the attack.
Victims and speculations
The hack has impacted at least one connected project that we know of for now.
Cross-chain aggregation protocol O3 Swap cross-chain function has been suspended due to the hack, tweeted O3Labs. “We are in contact with the team. Please be patient to back to full functionality,” they said, adding that the non-cross-chain function is available and can be used normally.
Per their documentation, O3 Hub is composed of a cross-chain asset pool such as stablecoin pool and cross-chain protocol based on Poly Network.
Both projects were initiated by blockchain project Neo (NEO).
According to journalist Colin Wu, there may be money laundering involved, as the Ethereum address tried to deposit funds into exchange liquidity pool Curve.fi. "The first few transaction attempts may be rejected by the mining pool and failed, but the subsequent transaction was successfully deposited and co-deposited approximately 673,227 DAI and 96,389,444 USDC, with 95,269,795 3Crv LP [liquidity provider] shares."
Meanwhile, an interesting dynamics seems to have developed, as there are suggestions that the attacker may be receiving some help along the way in return for hefty tips.
- South Korean Politician: North Has Stolen USD 310M in Crypto Since 2019
- Another Two Binance Smart Chain Projects Suffer Flash Loan Attacks
(Updated at 14:32 UTC with a section "Victims and speculations". Updated at 15:02 UTC with a quote from the Binance CEO. Updated at 15:51 UTC with additional reactions. Updated at 16:53 UTC with comments by Xiamen SlowMist Technology. Updated at 17:16 UTC with a message from the alleged hacker.)