Poly Network Crypto Theft

A Case Study - Avinash K


Attack Vector
The Attack Vector which was
exploited in this “Poly Hack” was
Software vulnerabilities
● The hacker exploited a
vulnerability, which is the
_executeCrossChainTx function
●
between contract calls,
This Attack effectively allowed
the intruder to declare
themselves as the owner of any
funds processed through the
platform.
 Poly Network
Poly Network is built to implement
interoperability between multiple
chains in order to build the next
generation internet infrastructure
● A decentralised finance (DeFi)
● Poly Network was founded by
Chinese entrepreneur Da
Hongfei, Poly Network has already
integrated Bitcoin, Ethereum, Neo
& various others.
platform that facilitates users that
lend, borrow, exchange or trade
cryptocurrencies – and earn or pay
interest while doing so.
 ● Poly seems to have had a bug that was not identified until now, an
instruction that was used only internally and should not have been
possible to access by those outside the company.
● Poly has this contract called the "EthCrossChainManager". It's
basically a privileged contract that has the right to trigger
messages from another chain.
● But Poly forgot to prevent users from calling a very important
Vulnerabilities ●
target, the EthCrossChainData contract.
It keeps track of the list of public keys that authenticate data
coming from the other chain. If you can modify that list, you don't
even need to hack private keys. You just set the public keys to
match your own private keys.
● The EthCrossChainManager owned the EthCrossChainData
contract. The EthCrossChainManager shouldn't have owned the
EthCrossChainData contract. Exploiting the Vulnerability through
EthCrossChainManager and few function calls transferred
ownership of all transactions on that platform to the hacker.
 10/08/2021 (14:30 +UTC):- Poly Network was attacked on Tuesday (10/08/2021), with
the alleged hacker draining roughly $600 million in crypto.

11/08/2021 :- Poly Network poste addresses for Etherium, BSC and Polygon to
return the assets. Tether Freezed assets of worth $33M.
11/08/2021 (04:18:39 PM +UTC) :- $260 million of assets had been returned -
Ethereum: $3.3M, BSC: $256M, Polygon: $1M. Hence declared as a White Hack.

12/08/2021 :- Poly tweeted “As our communication with Mr. White Hat is going on, the
remaining user assets on Ethereum are gradually transferred to the multisig wallet requested
by Mr. White Hat.”
TIMELINE
13/08/2021 :- Approximately $238 million is currently being transferred to the 3/4
multi-signature wallet, while we still wait for Mr. White Hat to provide his final key
authorization. Approximately $33 million USDT is frozen, and #PolyNetwork is actively
communicating with Tether to determine the next course of action.

14/08/2021 :- New Patch was released after the Vulnerability was fixed and users
who lost the assets had getting their assets through a asset recovery team

15/08/2021 :- The Poly Network thanked and offered position of Chief Security
Advisor with $500,000 and left the decision to the Mr White Hat (the attacker). The
identity has been not found till date. Few Q&A were released later.
COST
● Approx $600 M was stolen from
the platform.
● It was sufficient to cause a
economic crisis for
cryptocurrency.
● Reputation damage and possible
insider threat.
● This hack was a warning and a
show of how devastating it could
have been.
PREVENTION
● Employing Strong Security
measures to find Vulnerabilities.
● Outsourcing to Bug Bounty
programs to increase the chance
of discovering Software
vulnerabilities.
● Continuously patching to
eradicate known vulnerabilities if
existing.
● Periodically conducting
vulnerability assessments and
pentesting.
Thank you ^,^