Cyber Incident Victim: Poly Network

On or around July 2, 2023, the cross-chain bridge platform Poly Network was compromised in a significant cybersecurity incident, becoming the latest victim of a decentralized finance (DeFi) exploit. The attack was confirmed by Poly Network in a public tweet on the day of the event, with the team announcing it would be temporarily suspending services in response. The exploit was sophisticated, leveraging a vulnerability within the protocol's smart contract system. According to analysis from DeFi security expert Arhat, the core of the exploit stemmed from a smart contract vulnerability that allowed the attacker to craft a malicious parameter containing a fake validator signature and a falsified block header. This malicious input was subsequently accepted by the smart contract, which enabled the hacker to completely bypass the standard verification processes that are critical for securing cross-chain transactions.

This bypass of the verification mechanism was the pivotal step that allowed the attacker to initiate the unauthorized issuance of tokens. The exploit permitted the hacker to issue tokens directly from Poly Network's Ethereum pool and have them delivered to addresses under their control on various other blockchain networks. The process was not isolated to a single chain; the analyst noted that the hacker repeated this method across multiple supported chains, including Metis, BNB Chain, and Polygon. This systematic approach allowed the individual to amass an enormous quantity of tokens that were effectively created, or "minted," out of thin air without any corresponding backing or value. The attacker's wallet holdings reached an astronomical and unprecedented figure at one point, with an estimated value of around $42 billion worth of various tokens, though the vast majority of these assets could not be liquidated.

The scale of the attack was extensive, affecting a wide array of digital assets and blockchain infrastructures. In a subsequent update, the Poly Network team disclosed that the security breach impacted 57 different cryptocurrency assets spread across ten distinct blockchains. The affected networks included Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKX, and Metis. While the initial on-paper value of the minted tokens was immense, the actual financial damage was limited by the inherent liquidity available for these assets on the various decentralized exchanges. The hacker was only able to successfully convert and steal a fraction of the total tokens they had created, as a lack of available liquidity pools for many of the more obscure assets prevented their sale or exchange for more stable or liquid cryptocurrencies.

Blockchain security firm PeckShield was among the first to report on the movement of funds, noting that the exploiter had managed to transfer out at least $5 million worth of cryptocurrency. A later report from another security analytics company, CertiK, provided a higher estimate, concluding that the attack resulted in approximately $10 million worth of crypto being collected across five externally owned addresses controlled by the attacker. The discrepancy in figures highlights the challenges in rapidly assessing the total damages from such a complex event across multiple chains. The Poly Network team itself did not immediately specify a total amount stolen in their initial communications, focusing instead on containing the incident and advising users.

The response from the Poly Network team involved several critical steps aimed at mitigating further damage and assisting affected users. In a July 3 update, the team announced that they had already initiated communication with both centralized exchanges and law enforcement agencies to seek their assistance in investigating the breach and potentially recovering funds. A primary piece of advice issued to the community was for project teams and tokenholders to immediately withdraw their liquidity and unlock their liquidity provider tokens to prevent them from being exposed to the exploiter's actions. This guidance was intended to help users secure their assets while the protocol's services were suspended and the team worked on a resolution.

From a technical perspective, blockchain security solutions provider Dedaub provided a detailed analysis of the incident, which they dubbed the "34 billion Poly Network hack." Their investigation pointed to critical weaknesses in the protocol's multisignature security arrangement. Dedaub noted that the protocol had been operating with a simple "3 of 4" multisignature configuration for over two years, which they implied was an insufficient security measure for a protocol of its size and importance. Their analysis suggested that the private keys for the addresses involved in this multisig arrangement had been compromised, which was a fundamental failure that contributed to the success of the attack. They characterized the attack itself as not being particularly complex, noting that no logic bugs within the smart contract code were exploited; instead, the breach was due to a compromise of the foundational trust mechanisms.

The time taken to respond to the attack was also a factor in the final loss amount. According to Dedaub's timeline, Poly Network took approximately seven hours to mount an effective response after the exploit began. This delay provided the attacker with a significant window of opportunity to continue their operations and ultimately resulted in $5.5 million in stolen cryptocurrency. The 2023 incident was not the first major security breach for Poly Network. The protocol was previously attacked in August 2021 in one of the largest-ever exploits in the cryptocurrency industry, during which hackers linked to the North Korean hacking collective known as the Lazarus Group made off with over $600 million in assets. The recurrence of a major exploit on the same platform raised serious questions about its overall security posture and resilience. Following the 2023 event, Binance CEO Changpeng Zhao sought to reassure users of his exchange, stating unequivocally that the incident did not affect Binance users as the exchange did not support deposits from the Poly Network. The broader DeFi community continued to assess the fallout from the attack, which contributed to the over $204 million lost to DeFi hacks and scams in the second quarter of the year alone.