Cryptocurrency and blockchain technology are usually renowned for their tight security and tamper-resistant nature. However, that hasn’t stopped this prolific anonymous hacker from breaching one of the largest digital finance providers in the world.
On Tuesday, August 10th, decentralized finance (DeFi) provider Poly Network announced that they had been attacked on Binance, Ethereum, and Polygon assets valued at $600 million USD.
The value stolen during this attack places this heist as one of the largest security breaches in the history of digital finance. Despite this, the hacker has shown their overall altruistic intentions for the heist by returning most of the funds.
Poly Network has played the incident as a valuable educational mishap for their DeFi platform – thanking this anonymous hacker for exposing security flaws and even offering a $500,000 bounty to this individual.
Although, the story is not over, as $33 million is yet to be returned as the saga reaches its second week. How did the so-called Mr. White Hat remove so much cryptocurrency? Who is this hacker? Ultimately, what does this mean for blockchain security going forward?
What Happened?
Poly Network is a decentralized finance platform that facilitates interoperability between multiple blockchains. According to Poly Network’s recent Medium articles, the hacker exploited cross-chain contract vulnerability. In crypto, smart contracts are transaction protocols that automatically execute with the terms of the agreement between buyer and seller.
According to Twitter user, kelvinfichter, the hacker exploited the contracts “EthCrossChainManager” and “EthCrossChainData.”
For anyone still confused, here's the hack depicted as a beautiful gif pic.twitter.com/Shg5Tdf21Z
— God-like Natural Number Creator Person (TM, R) (@kelvinfichter) August 10, 2021
Fitcher explains that by exploiting these cross-chain contacts, the hacker was able to set public keys that match his own private keys, allowing him to trigger and validate fraudulent cryptocurrency transactions.
The hacker used this exploit to remove $600 million of cryptocurrency assets from the Poly Network “lock box.”
Who’s behind this?
Not much is known about the hacker – or perhaps hackers – behind this attack. Through encoded messages in Ethereum transactions, the hacker spoke with the Poly Network team and agreed to return the stolen assets.
Poly Network initially pledged to take “all legal actions” against the attacker. In a statement released on Twitter shortly after the attack, Poly appealed directly to the hacker to “return the assets” and warned that “law enforcement in any country will regard this as a major economic crime and [the hacker] will be pursued.”
Relations between the Poly Network and this anonymous attacker soon improved after the hacker slowly began to return the funds. This occurred in small increments starting on August 11th, and then in the millions.
Poly Network has nicknamed them ‘Mr. White Hat’. This is in reference to “ethical hacking,” where a white hat hacker exposes security flaws for the greater good.
The DeFi firm has since offered the hacker the position of Chief Security Advisor and offered a $500,000 bounty in return for exposing the security flaw behind the attack. The hacker turned down the generous award, stating: “Money means little to me, some people are paid to hack, I would rather pay for the fun.”
Poly Network has sent the bounty anyway, reasoning, “whatever #mrwhitehat chooses to do with the bounty in the end, we have no objections.”
Where are the funds now?
Over the course of the last two weeks, so-called Mr White Hat has intermittently returned many of the stolen assets. The Binance Smart Chain (BSC), Ethereum and Polygon assets have since been returned to a wallet set up by Poly Network.
The funds still at large include a $33 million USDT portfolio currently frozen by Tether. Poly Network intend the white hat hacker will eventually return the entire $600 million, with the hacker previously requesting that the USDT funds be “unlocked”.
“We have made constant efforts to establish an understanding with Mr. White Hat,” Poly Network took to Twitter to say, “and genuinely hope that Mr. White Hat will transfer the private keys as soon as possible so that we can return full asset control back to the users at the earliest.”
In the meantime, Poly Network has taken this opportunity to launch Phase 3 of their project roadmap, including establishing a new bounty program for other ethical hackers to find similar flaws with an additional bounty pool of $500,000.
#PolyNetwork kicks off #roadmap Phase 3-Project Launch as well as the #bounty program on #Immunefi today. This is a separate $500k #bounty program in addition to the previous 500k proposal for #MrWhiteHat, rewarding $100k for each critical vulnerability. https://t.co/aWHHhGCuvX
— Poly Network (@PolyNetwork2) August 17, 2021
Like what we have to say? Sign up to subscribe to email alerts and you’ll never miss a post.
