PolyNetwork: How the $600M DeFi Hack Happened
The DeFi space saw its biggest heist so far after a cross-chain smart contract was attacked and drained multiple crypto assets on three separate blockchains. The unprecedented hack exploited a smart contract vulnerability, taking away funds worth more than $600M.
PolyNetwork built infrastructure to transfer funds between blockchains. Its technology bridged Binance Chain, Ethereum, and Polygon, three of the most well-used blockchains related to DeFi activity. PolyNetwork facilitated transactions to various decentralized protocols.
How the Hack Happened
Initially, the hypothesis for the hack was a human error or another approach to stealing private keys that gave access to fund transfers. However, deeper analysis pointed to a targeted exploit of the cross-chain functionalities of one of the Poly Network smart contracts.
Analysis of the capabilities of the cross-chain contract shows that the design allowed the hacker to pass a checkpoint and divert funds without even needing private keys or other authorization.
This allowed the hacker to authorize transactions in multiple tokens, including stablecoins.
Funds Locked, Concealed or Waiting
One of the hopes for Poly Network is that the hacker had white hat intentions and may decide to return the funds. The project actually made a call to the hacker to return the stolen assets, similar to the recent ethical hacking of THORChain.
The estimate is that multiple assets were diverted on the Ethereum network, with an estimated value of $273M. Another $253M worth of assets were moved on Binance Chain, and $85M on Polygon Network.
Of those, $33M of Tether (USDT) was blacklisted, essentially preventing the hacker from spending or exchanging it. However, some of the assets were swapped to untraceable and fully decentralized DAI stablecoins.
The hacker also used Curve Finance, where the blacklist and freeze features of the USDC stablecoin cannot reach the assets.
The recent exploit shows the inherent risks and limitations of DeFi space, as well as its potential for free fund transfer and disruptions. Until recently, DeFi exploits mostly included rug pulls, with some of the largest attacks at around $30M. Smaller rug pulls were not unusual, as well as flash loans that led to rapid losses.
However, an outright transfer of funds to multiple decentralized protocols now looks extremely hard to trace and contain. In the past, attacks and hacks were limited by the need to use centralized exchanges. Market operators like the Binance Exchange could easily freeze or blacklist wallets. But the potential to only use anonymous smart contracts extends the risk for DeFi protocols.
Hack Showed USDT is Not Decentralized
One of the debates surrounding dollar-pegged coins is the potential to freeze or centrally control some of the assets. Tether has done this in the past, blacklisting 30M of USDT in an earlier exploit of its own protocol.
Now, the USDT diverted from the Poly Network smart contract was blacklisted, leading to an exchange between the anonymous hacker and another user. The Poly Network hacker actually sent 13.37 ETH to a user that sent out a warning about USDT being blacklisted and potentially used to trace the hacker.
In an exchange that attracted social media attention, the receiver of the bounty then sent 1.337 ETH to Vitalik Buterin’s wallet, extending the inner joke forever on the Ethereum network.
The hacker’s actions revealed the potential to trace and freeze funds, showing not all cryptocurrency projects are regulated or capable of control. The DeFi space remains entirely unregulated, boasting smart contracts as the solution to financial middlemen. However, with no legal responsibility, loss of funds is usually permanent and not refundable.
Will Other Funds be Frozen
Some of the stablecoins frozen, BUSD and USDC, are known to have capabilities for being frozen or blacklisted. However, Binance and Circle have yet to move in and lock the funds.
At this point, the crisis with Poly Network is still developing, and it is uncertain which tokens will end up blacklisted or moved and exchanged in ways that makes the funds unreachable.
DeFi Grows Despite Risks
The DeFi space keeps growing despite the risks to funds and the potential for multiple unverified smart contracts.
The total value locked in DeFi space is above $80B, expanding again after dipping near $40B. ETH prices above $3,000 with a positive growth outlook drive adoption with the expectation for passive returns.
To participate in DeFi, users must send some of the funds to be wrapped or held in smart contracts. Control over the assets varies, and the smart contracts may have unexpected exploits and consequences.
Cross-chain functionalities are also trending, requiring sophisticated code to create different versions and bridges between blockchains. Cross-chain functionalities allow users to make use of the DeFi funds accrued on several blockchains, moving both tokens and stablecoins for decentralized trading, yield farming or other types of DeFi earnings.
Uphold makes buying crypto with popular currencies like USD, EUR and GBP very simple with its convenient options to swap between crypto, fiat, equities, and precious metals.
With over 50 coins and an obsession with security, Kraken is one of the safest places to buy and trade crypto.
Kraken has a good reputation for security and protection of your funds and operates across the USA (except NY), Canada, the EU and Japan
Based in Charleston, South Carolina. Serves over 184 countries and has done over $4 billion in transactions. Offers convenient options to swap between crypto, fiat, equities, and precious metals.
A review of the risks and rewards of trading with leverage and some of the best exchanges to consider
We are now paying prizes in Iota. Learn a bit about it and where you can buy, sell and store it
IOTA is a feeless crypto using a DAG rather than a blockchain. It aims to be the currency of the Internet of things and a machine economy.
The first cryptocurrency. It has limitations for transactions but it is still the most popular being secure, trusted and independent from banks and governments.