Poly Network Hack Explained:- Poly Network, a lesser-known brand in the world of cryptocurrency, is a decentralized finance (Defi) platform that enables peer-to-peer transactions with an emphasis on enabling users to move or exchange tokens across several blockchains. For instance, a client might utilize Poly Network to move bitcoin or other digital assets from the Ethereum blockchain to the Binance Smart Chain.
Da Hongfei, a Chinese entrepreneur who is now the CEO of Neo, a blockchain platform, created Poly Network. According to Neo’s website, Poly Network was established in August as a partnership between Neo, cryptocurrency trading platform Switcheo, and blockchain technology firm Ontology.
Poly Network is a distributed ledger technology that runs on the Binance Smart Chain, the Ethereum blockchain, and the Polygon blockchain. Tokens are exchanged across blockchains through a smart contract that specifies when the assets should be released to counterparties.
According to crypto intelligence company CipherTrace, one of the smart contracts used by Poly Network to move tokens across blockchains maintains a high level of liquidity, allowing users to trade tokens effectively.
According to a tweet from Poly Network on Tuesday, the hackers took advantage of a weakness in this smart contract.
According to an examination of the transactions tweeted by Ethereum programmer Kelvin Fichter, the hackers seemed to override the contract rules for each of the three blockchains and redirect the money to three wallet addresses, which are digital locations used to store tokens. Poly Network was then able to track and disseminate these.
According to blockchain forensics firm Chainalysis, the attackers took money in over 12 different cryptocurrencies, including ether and a subset of bitcoin.
According to Chainalysis’s analysis of digital messages broadcast on the Ethereum network, a person claiming responsibility for the breach said that they discovered an unspecified “fault” and wanted to “publicize the vulnerability” before others could exploit it. The messages’ legitimacy could not be verified by Reuters.
On August 10th, Poly Network announced that an unknown attacker breached the network’s smart contract, transferring about 610 million USD (mostly in Ether, Binance Coin, and USDC) to external wallet addresses.
According to cybersecurity company SlowMist and security researcher Kelvin Fichter, the attack was enabled through an oversight in the administration of access permissions between two critical Poly smart contracts. EthCrossChainManager and EthCrossChainData are the first and second, respectively.
Allow us to begin by discussing EthCrossChainData. This is a highly privileged contract that should not be invoked by anybody but the network’s owners. This is because this contract is responsible for establishing and maintaining a list of public keys for “authenticator nodes” (Keepers) that control wallets in the underlying liquidity chains. In other words, EthCrossChainData has the authority to determine who has the right of transferring the substantial money stored in Poly’s Binance, Ethereum, and other wallets. If an attacker could call the correct function (putCurEpochConPubKeyBytes) within EthCrossChainData, they would not even need to attack a Keeper’s secret key: they could simply replace the Keeper’s public key with their own, and then execute a high volume transaction within the Poly network to exfiltrate a large amount of funds to other wallets. Clearly, this is not a desirable outcome.