{"id":325632,"date":"2021-08-16T16:25:24","date_gmt":"2021-08-16T13:25:24","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/poly-network-hack-exposes-defi-flaws-but-community-comes-to-the-rescue\/"},"modified":"2021-08-16T16:25:24","modified_gmt":"2021-08-16T13:25:24","slug":"poly-network-hack-exposes-defi-flaws-but-community-comes-to-the-rescue","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/poly-network-hack-exposes-defi-flaws-but-community-comes-to-the-rescue\/","title":{"rendered":"# Poly Network hack exposes DeFi flaws, but community comes to the rescue"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a26b6df5cace\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a26b6df5cace\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/poly-network-hack-exposes-defi-flaws-but-community-comes-to-the-rescue\/#Putting_on_a_white_hat\" >Putting on a white hat<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/poly-network-hack-exposes-defi-flaws-but-community-comes-to-the-rescue\/#The_funds_are_back\" >The funds are back<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/poly-network-hack-exposes-defi-flaws-but-community-comes-to-the-rescue\/#%E2%80%9CNo_thank_you%E2%80%9D_says_%E2%80%9CMr_White_Hat%E2%80%9D\" >\u201cNo, thank you,\u201d says \u201cMr. White Hat\u201d<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong># Poly Network hack exposes DeFi flaws, but community comes to the rescue <\/strong>&#8221;<br \/>\n<img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjEtMDgvOGVkZjZkYTMtNDVmOC00OGFlLTgxMDUtNmMzYjgzNmFlMmFlLmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-128018ef>Although it seemed crypto hacks were on the decline, just recently, the market bore witness to one of the largest-ever attacks in the young history of decentralized finance (DeFi), wherein an unknown hacker was able to exploit a loophole in cross-chain protocol Poly Network\u2019s digital framework, thereby walking away with a cool $610 million from three separate blockchains.<\/p>\n<p>The Poly Network is a collaborative project helmed by Ontology, Neo and Switcheo. It seeks to foster a \u201cheterogeneous interoperability protocol alliance\u201d integrating blockchains into the larger cross-chain ecosystem. Thanks to its infrastructure, the protocol allows users to swap tokens across different blockchains seamlessly.<\/p>\n<p>Further elaborating on the development, Poly Network\u2019s core developer team has revealed that the attack <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/PolyNetwork2\/status\/1425073987164381196\">resulted<\/a> in roughly $273 million from Ethereum, $85 million in USD Coin (USDC) from the Polygon network, and $253 million from the Binance Smart Chain being compromised. Furthermore, sizable amounts of renBTC, wr<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ed Bitcoin (wBTC) and wrapped Ether (wETH) were also lost as part of the exploit. <\/p>\n<p>In regards to how the hack happened, Anton Bukov, co-founder of DeFi aggregator 1inch Network, told Cointelegraph that one of Poly Network\u2019s sub-systems \u2014 designed to be capable of forwarding users\u2019 smart contract interactions among different blockchains \u2014 turned out to be faulty, adding:<\/p>\n<blockquote><p>\u201cThe hacker bridged fake transaction interactions on one chain to make the system contract on another, transferring ownership rights for the assets\u2019 vault to the hacker\u2019s public key. Poly Network\u2019s developers and auditors didn\u2019t notice the vulnerability, allowing for multiple arbitrary user calls via a smart contract that has many privileges.\u201d<\/p><\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"Putting_on_a_white_hat\"><\/span>Putting on a white hat<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Providing his thoughts on the matter, John Jefferies, chief financial analyst of CipherTrace, told Cointelegraph that this incident has been especially interesting compared to any DeFi hacks of the past, which typically used a form of flash loans and arbitrage to exploit a smart contract and steal funds, adding:<\/p>\n<blockquote><p>\u201cThe hacker essentially found an exploit that allowed him to bypass the private keys and have the contract just send the funds to himself. In all the swapping the hacker has done in an effort to obfuscate their trail, it appears the hacker had at one point reused a wallet that already had previous transactions with some prominent exchanges that would have identifying KYC information on him.\u201d<\/p><\/blockquote>\n<p>Also, Jefferies is not entirely convinced of what the hacker\u2019s intentions were, even though all of the stolen funds are now back where they belong. \u201cIt is unlikely that a white hat would have taken the steps to attempt to obfuscate the funds trail if they had always intended on returning the money,\u201d he opined.<\/p>\n<p>In a strange yet interesting turn of events, soon after the breach, the Poly Network hacker conducted an Ask Me Anything-style of self-interview, using <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/etherscan.io\/address\/0xc8a65fadf0e0ddaf421f28feab69bf6e2e589963\">embedded<\/a> messages in Ethereum transactions. When asked about why the Poly Network, in particular, was chosen as a target, the hacker answered \u201ccross chain hacking is hot,\u201d adding that they spent a good amount of time trying to identify vulnerabilities on the network to exploit. <\/p>\n<p>Not only that, the hacker claimed that the plan was never to keep the $610 million, but rather expose the vulnerability to the masses before Poly Network\u2019s developers could secretly fix the bug. \u201cI would like to give them [Poly Network] tips on how to secure their networks, so that they can be eligible to manage a billion [dollar] project in the future.\u201d He went on to further add:<\/p>\n<blockquote><p>\u201cWhen spotting the bug, I had mixed feelings. Ask yourself what would you do if you were faced with such a fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion. I can trust nobody! The only solution I can come up with is saving it in a trusted account.\u201d<\/p><\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"The_funds_are_back\"><\/span>The funds are back<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Poly Network released a statement on Thursday announcing that all $610 million of the funds had been <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/PolyNetwork2\/status\/1425870262067548163\">transferred<\/a> to a multisig wallet that is under its purview along with the hacker. The only remaining tokens include $33 million worth of Tether (USDT), which were frozen im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tely following <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a> of the attack.<\/p>\n<p>The Poly Network hacker started off by returning a significant portion of the stolen funds to the cross-chain DeFi protocol. Indeed, a little over a day after the event, CipherTrace confirmed that at least $265+ million had been returned to Poly Network in the form of $1 million in USDC; $256.2 million mostly via Bitcoin BEP-2 (BTCB), Binance pegged-Ether and Binance USD (BUSD); $2.637 million in Binance Coin (BNB); and $3.4 million in Shiba Inu (SHIB), renBTC and Fei.<\/p>\n<p>From the very beginning, the attacker claimed to be willing to return the entirety of the stolen funds \u2014 a promise that was delivered this past Thursday \u2014 claiming that the intention was to teach Poly an expensive lesson about its security flaws. <\/p>\n<p>However, Tom Robinson, chief scientist at blockchain analytics firm Elliptic, is of the view that the change of heart might have been due to the fact that the hacker found it extremely difficult to launder\/cash out the stolen assets due to the transparency of the blockchain.<\/p>\n<p>Sebastian B\u00fcrgel, founder of Ethereum-based data privacy protocol HOPR, told Cointelegraph that while thefts are never a good thing, he thinks that it\u2019s impressive that the DeFi community was able to come together \u2014 from Tether freezing $33 million worth of USDT to OKEx and Binance lending a helping hand in monitoring the siphoned funds \u2014 to prevent the hacker from withdrawing or exchanging any of the involved assets, adding:<\/p>\n<blockquote><p>\u201cHopefully, it will encourage a greater focus on security and auditing. DeFi enthusiasm is infectious, but it\u2019s important to remember that there is huge value at stake. The desire to move quickly can\u2019t trump security.\u201d<\/p><\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"%E2%80%9CNo_thank_you%E2%80%9D_says_%E2%80%9CMr_White_Hat%E2%80%9D\"><\/span>\u201cNo, thank you,\u201d says \u201cMr. White Hat\u201d <span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>After determining the hacker\u2019s motives to be completely clean, a spokesperson for the Poly Network said that the company was willing to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/etherscan.io\/tx\/0xbd66349e77b8d4e493e3a13ae146557a72e8585650b6ec3a71c402c66e2d3882\">offer<\/a> the individual \u2014 whom the company dubbed \u201cMr. White Hat,\u201d \u2014 a $500,000 bounty via a message that read, \u201cWe will send you the 500k bounty when the remaining funds are returned except the frozen USDT.\u201d <\/p>\n<p>Surprisingly, the hacker politely <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/etherscan.io\/tx\/0x962d0df8f580051bb53e4fa2a2570073a0cd4c5c719c1936e707101e735ceee1\">refused<\/a>, stating that he never responded to the offer. \u201cI will send all of their money back,\u201d he said, signing off.<\/p>\n<p><strong><em>Related:\u00a0How do DeFi protocols get hacked?<\/em><\/strong><\/p>\n<p>With all of the funds back in place \u2014 bar the aforementioned frozen USDT \u2014 it appears as though the largest hack in decentralized finance history has finally come to a close. And though the hacker\u2019s identity continues to remain a mystery, Chinese cybersecurity firm SlowMist recently released an update claiming that its security team had been able to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.chainnews.com\/news\/794796710812.htm\">identify<\/a> the attacker\u2019s email address, IP address and device fingerprint. <\/p>\n<p>Hopefully, this episode serves as a stern reminder of how security should always be of supreme importance when laying the foundation of any project, regardless of its technological proposition. Therefore, it will be interesting to see how startups and other firms operating within DeFi continue to evolve and upgrade their existing security setups because the next time around, the hacker may be unwilling to return the money.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"markets_outlook\"><\/template><\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more News articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/poly-network-hack-exposes-defi-flaws-but-community-comes-to-the-rescue\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;# Poly Network hack exposes DeFi flaws, but community comes to the rescue &#8221; Although it seemed crypto hacks were on the decline, just recently, the market bore witness to one of the largest-ever attacks in the young history of decentralized finance (DeFi), wherein an unknown hacker was able to exploit a loophole in cross-chain&#8230;<\/p>\n","protected":false},"author":1,"featured_media":325633,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/images\/1200_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjEtMDgvOGVkZjZkYTMtNDVmOC00OGFlLTgxMDUtNmMzYjgzNmFlMmFlLmpwZw==.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74868,74882,4965],"class_list":["post-325632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-defi","tag-hacks","tag-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/325632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=325632"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/325632\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/325633"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=325632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=325632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=325632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}