In one of the largest cryptocurrency hacks to date, cyber-attackers reportedly stole millions from the decentralised finance (DeFi) platform Poly Network.
Attackers reportedly stole $600m from the platform, in what experts say is one of the largest crypto heists to date.
Poly Network, a decentralised finance (DeFi) platform based in China, publicly acknowledged that an attacker “exploited a vulnerability” that allowed them to assign themselves the ownership of money processed through the platform.
Specific Function
According to a statement made on Wed. by the company, attackers abused the function “_executeCrossChainTx”. The company said that this specific function dictates the “between contract calls” & is tied to interoperability needed to communicate between independent blockchains.
A blockchain is a specific type of database. When used in the context of cryptocurrency, it serves as a record-book for irreversible transactions.
Carefully Constructed Data
“The attacker use this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract,” Poly Network stated.
Attackers sucked up a reported $611m in digital tokens. Tokens (or crypto tokens) represent an asset that resides on a blockchain. Unlike a crypto coin, a token is associated with a specific blockchain (or ledger). In this case, it was Poly Network’s platform that was used to steal Ethereum (ETH) & BowsCoin (BSC) tokens.
Important Notice
In an “important notice” posted to Twitter, Poly Network stated:
“We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum & @0xPolygon Assets had been transferred to hacker’s following addresses: ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71.”
In some follow-up tweets the company asked crypto-miners “of affected blockchain & crypto exchanges to blacklist tokens coming from the above addresses. @Tether_to @circlepay.”
Return Funds?
Poly tweeted that it planned to take legal action & demanded that the attackers return the funds.
In a follow-up tweet posted at 7:47am ET, Poly Network observed some assets ($4.7m) were returned by the attackers.
“So far, we have received a total value of $4,772,297.675 assets returned by the hacker,” Poly Network tweeted.
In a message by hackers, associated with the illicit transaction, an attacker wrote; “I need a secured multisig wallet from you.” This, experts say, was an effort to return some of the stolen tokens.
Search Engine
A blockchain analysis by Bleeping Computer revealed some of the money stolen was also redirected to the non-profits Binance Charity & Archive.org. Additional funds were sent to blockchain search engine Etherscan & Ethereum blockchain developer infura.io.
Changpeng Zhao, CEO of Binance, one of 3 platforms from which stolen assets were taken, wrote on Twitter: “We are aware of the poly.network exploit that occurred today. While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can.”
Largest Crypto Attack?
Based on recent publicly disclosed losses due to attacks, Poly Network’s losses are the largest to date to be associated with crypto-currency firms.
In 2018, Coincheck, a Tokyo-based exchange, lost $530m in digital coins. In 2013, Mt. Gox, another Tokyo-based exchange, collapsed after a massive distributed-denial-of-service attack triggered the loss of an estimated $500m dollars in bitcoin. In 2019, Italian exchange Bit Grail was hacked, with losses totalling an estimated $195m.
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/
