Poly Network Loses Over $600M in Crypto in The Biggest DeFi Hack

• DeFi site Poly Network was hacked on Tuesday and drained of about $600 million in crypto assets.
• Upcoming cross-chain protocols are vulnerable to attacks with Rari Capital and Thorchain having been hit in the past.

Cross-chain DeFi platform Poly Network was hacked on Tuesday, with the attacker siphoning roughly $600 million in crypto. Launched by the founder of the Neo Chinese blockchain project, Poly Network operates on Binance Smart Chain (BSC), Ethereum, and Polygon blockchains. The recent hack inflicted all three blockchains consecutively.

The Poly Network team was, however, been able to identify three wallet addresses where the stolen crypto assets were transferred. Blockchain scanning platforms show, at writing time, that the three addresses collectively held over $600 million. These are held in USDC, Wrapped Bitcoin, Wrapped Ether, and Shiba Inu.

Important Notice:
We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s following addresses:
ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71

— Poly Network (@PolyNetwork2) August 10, 2021

In response, Poly Network urged miners of the affected blockchain and crypto exchanges to blacklist tokens from the hacker’s addresses. Additionally, The Poly Network team wrote a note on Twitter urging the hacker to return the hacked assets. Failure to do this would result in pursuit by law enforcement agencies. The note ended with Poly Network advising the hacker to reach out to them to work out a solution.

Poly Network hack developments

Just an hour after the attack, the hacker attempted to transfer the stolen assets through the Ethereum address to the liquidity pool Curve. fi. The transaction was promptly blocked. Additionally, Tether CTO Paolo Ardoino tweeted that Tether had frozen about $33 million in crypto assets related to the attack. Wu Blockchain, however, tweeted:

Binance and circle need to explain why the 3m BUSD and 26m USDC stolen by hackers are not frozen.

Nonetheless, nearly $100 million was later on moved from the BSC address and placed in the liquidity pool Ellipsis Finance.

BlockSec, a Chinese-based blockchain security firm produced an initial attack analysis report. The firm pointed out that the hack may have been due to private key leakage. This allowed the attacker to sign the cross-chain message. Alternatively, it could have happened if the attacker “abused” a potential bug in the network’s signing process.

Another similar firm, SlowMist, noted that the attacker initially held funds in Monero, a privacy-centric cryptocurrency. The attacker then exchanged them for ETH, BNB, MATIC, and a few other tokens and thereafter initiated the hack. From this, SlowMist concluded that the attack was long-planned and well-orchestrated.

The Root Cause Of @PolyNetwork2 Being Hacked #DeFi #security @TheBlock__ @CoinDesk @ChainNewscom https://t.co/V6NKtII6Hl

— SlowMist (@SlowMist_Team) August 10, 2021

Cross-chain Protocols attack susceptibility

Speaking on the attack, a spokesperson from BSC urged users and protocols to take security measures “extremely seriously.” The spokesperson also noted that a number of trustless bridges had become victims of such attacks. At the moment, BSC and its security partners are proving as much support as they can to the ongoing investigation.

The latest attack is proof of how much upcoming cross-chain protocols are vulnerable to attacks. Of all the hacks in crypto history, Poly Network’s $600 million drain marks the largest attack. Thorchain, also a cross-chain liquidity pool, suffered two attacks in two weeks in July. Another cross-chain DeFi protocol Rari Capital was hit in May, counting losses of nearly $11 million in ETH.