{"id":1290,"date":"2021-08-11T08:57:07","date_gmt":"2021-08-11T07:57:07","guid":{"rendered":"https:\/\/tradersofcrypto.com\/news\/?p=1290"},"modified":"2021-08-11T08:57:07","modified_gmt":"2021-08-11T07:57:07","slug":"polynetwork-how-the-600m-defi-hack-happened","status":"publish","type":"post","link":"https:\/\/tradersofcrypto.com\/news\/polynetwork-how-the-600m-defi-hack-happened\/","title":{"rendered":"PolyNetwork: How the $600M DeFi Hack Happened"},"content":{"rendered":"\n<p>The DeFi space saw its biggest heist so far after a cross-chain smart contract was attacked and drained multiple crypto assets on three separate blockchains. The unprecedented hack exploited a smart contract vulnerability, taking away funds worth more than $600M.&nbsp;<\/p>\n\n\n\n<p>PolyNetwork built infrastructure to transfer funds between blockchains. Its technology bridged Binance Chain, Ethereum, and Polygon, three of the most well-used blockchains related to DeFi activity. PolyNetwork facilitated transactions to various decentralized protocols.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>How the Hack Happened<\/strong><\/h3>\n\n\n\n<p>Initially, the hypothesis for the hack was a human error or another approach to stealing private keys that gave access to fund transfers. However, deeper analysis pointed to a targeted exploit of the cross-chain functionalities of one of the Poly Network smart contracts.&nbsp;<\/p>\n\n\n\n<p>Analysis of the capabilities of the cross-chain contract shows that the design allowed the hacker to pass a checkpoint and divert funds without even needing private keys or other authorization.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Ok here&#39;s how the Poly Network hack actually worked. If I&#39;m reading the contracts correctly, it&#39;s pretty genius.<\/p>&mdash; God-like Natural Number Creator Person (TM, R) (@kelvinfichter) <a href=\"https:\/\/twitter.com\/kelvinfichter\/status\/1425217046636371969?ref_src=twsrc%5Etfw\">August 10, 2021<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>This allowed the hacker to authorize transactions in multiple tokens, including stablecoins.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Funds Locked, Concealed or Waiting<\/strong><\/h3>\n\n\n\n<p>One of the hopes for Poly Network is that the hacker had white hat intentions and may decide to return the funds. The project actually made a call to the hacker to return the stolen assets, similar to the recent <a href=\"https:\/\/tradersofcrypto.com\/news\/thorchain-rune-faces-attack-ransom-request\/\">ethical hacking of THORChain<\/a>.\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Hope you will transfer assets to addresses below:<br> <br>ETH: 0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f<br> <br>BSC: 0xEEBb0c4a5017bEd8079B88F35528eF2c722b31fc<br> <br>Polygon: 0xA4b291Ed1220310d3120f515B5B7AccaecD66F17 <a href=\"https:\/\/t.co\/mKlBQU4a1B\">pic.twitter.com\/mKlBQU4a1B<\/a><\/p>&mdash; Poly Network (@PolyNetwork2) <a href=\"https:\/\/twitter.com\/PolyNetwork2\/status\/1425321860539949056?ref_src=twsrc%5Etfw\">August 11, 2021<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>The estimate is that multiple assets were diverted on the <a href=\"https:\/\/tradersofcrypto.com\/coins\/ethereum\/\">Ethereum network<\/a>, with an estimated value of $273M. Another $253M worth of assets were moved on Binance Chain, and $85M on Polygon Network.\u00a0<\/p>\n\n\n\n<p>Of those, $33M of Tether (USDT) was blacklisted, essentially preventing the hacker from spending or exchanging it. However, some of the assets were swapped to untraceable and fully decentralized DAI stablecoins.&nbsp;<\/p>\n\n\n\n<p>The hacker also used Curve Finance, where the blacklist and freeze features of the USDC stablecoin cannot reach the assets.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">The hacker added $97 million in USDC and DAI to Curve, where it&#39;s unreachable to USDC blacklist feature. $30 million in USDT are frozen and saved.<a href=\"https:\/\/t.co\/T6ZtXIGyar\">https:\/\/t.co\/T6ZtXIGyar<\/a><\/p>&mdash; banteg (@bantg) <a href=\"https:\/\/twitter.com\/bantg\/status\/1425094876920696834?ref_src=twsrc%5Etfw\">August 10, 2021<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>The recent exploit shows the inherent risks and limitations of <a href=\"https:\/\/tradersofcrypto.com\/news\/chainlink-and-polygon-go-off-correlation\/\">DeFi space<\/a>, as well as its potential for free fund transfer and disruptions. Until recently, DeFi exploits mostly included rug pulls, with some of the largest attacks at around $30M. Smaller rug pulls were not unusual, as well as flash loans that led to rapid losses.\u00a0<\/p>\n\n\n\n<p>However, an outright transfer of funds to multiple decentralized protocols now looks extremely hard to trace and contain. In the past, attacks and hacks were limited by the need to use centralized exchanges. Market operators like the <a href=\"https:\/\/tradersofcrypto.com\/exchanges\/binance\/\">Binance Exchange<\/a> could easily freeze or blacklist wallets. But the potential to only use anonymous smart contracts extends the risk for DeFi protocols.\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Hack Showed USDT is Not Decentralized<\/strong><\/h3>\n\n\n\n<p>One of the debates surrounding dollar-pegged coins is the potential to freeze or centrally control some of the assets. Tether has done this in the past, blacklisting 30M of USDT in an earlier exploit of its own protocol.&nbsp;<\/p>\n\n\n\n<p>Now, the USDT diverted from the Poly Network smart contract was blacklisted, leading to an exchange between the anonymous hacker and another user. The Poly Network hacker actually sent 13.37 ETH to a user that sent out a warning about USDT being blacklisted and potentially used to trace the hacker.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">The PolyNetwork hacker just sent 13.37 ETH to the guy that gave him the heads up about the USDT being frozen \ud83d\ude05<br><br>I love this simulation.<a href=\"https:\/\/t.co\/Wt8HHWLCQy\">https:\/\/t.co\/Wt8HHWLCQy<\/a><\/p>&mdash; Anthony Sassano (\ud83e\udd87, \ud83d\udd0a) (@sassal0x) <a href=\"https:\/\/twitter.com\/sassal0x\/status\/1425096618009890816?ref_src=twsrc%5Etfw\">August 10, 2021<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>In an exchange that attracted social media attention, the receiver of the bounty then sent 1.337 ETH to Vitalik Buterin\u2019s wallet, extending the inner joke forever on the Ethereum network.&nbsp;<\/p>\n\n\n\n<p>The hacker\u2019s actions revealed the potential to trace and freeze funds, showing not all cryptocurrency projects are regulated or capable of control. The DeFi space remains entirely unregulated, boasting smart contracts as the solution to financial middlemen. However, with no legal responsibility, loss of funds is usually permanent and not refundable.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Will Other Funds be Frozen<\/strong><\/h3>\n\n\n\n<p>Some of the stablecoins frozen, BUSD and USDC, are known to have capabilities for being frozen or blacklisted. However, Binance and Circle have yet to move in and lock the funds.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Binance and circle need to explain why the 3m BUSD and 26m USDC stolen by hackers are not frozen. This case of the largest amount of money in DeFi history may have a great impact on confidence and supervision. <a href=\"https:\/\/twitter.com\/circlepay?ref_src=twsrc%5Etfw\">@circlepay<\/a> <a href=\"https:\/\/twitter.com\/jerallaire?ref_src=twsrc%5Etfw\">@jerallaire<\/a> <a href=\"https:\/\/twitter.com\/binance?ref_src=twsrc%5Etfw\">@binance<\/a> <a href=\"https:\/\/t.co\/9jjGlgFmyn\">https:\/\/t.co\/9jjGlgFmyn<\/a><\/p>&mdash; Wu Blockchain (@WuBlockchain) <a href=\"https:\/\/twitter.com\/WuBlockchain\/status\/1425274953272680453?ref_src=twsrc%5Etfw\">August 11, 2021<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>At this point, the crisis with Poly Network is still developing, and it is uncertain which tokens will end up blacklisted or moved and exchanged in ways that makes the funds unreachable.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>DeFi Grows Despite Risks<\/strong><\/h3>\n\n\n\n<p>The DeFi space keeps growing despite the risks to funds and the potential for multiple unverified smart contracts.&nbsp;<\/p>\n\n\n\n<p>The total value locked in DeFi space is above $80B, expanding again after dipping near $40B. ETH prices above $3,000 with a positive growth outlook drive adoption with the expectation for passive returns.&nbsp;<\/p>\n\n\n\n<p>To participate in DeFi, users must send some of the funds to be wrapped or held in smart contracts. Control over the assets varies, and the smart contracts may have unexpected exploits and consequences.&nbsp;<\/p>\n\n\n\n<p>Cross-chain functionalities are also trending, requiring sophisticated code to create different versions and bridges between blockchains. Cross-chain functionalities allow users to make use of the DeFi funds accrued on several blockchains, moving both tokens and stablecoins for decentralized trading, yield farming or other types of DeFi earnings.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Poly Network suffered the largest hack in DeFi space, with more than $600M in various tokens diverted through a smart contract.<\/p>\n","protected":false},"author":3,"featured_media":1291,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[23,334,331,332],"class_list":["post-1290","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised","tag-binance","tag-busd","tag-hacker","tag-poly-network","entry"],"_links":{"self":[{"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/posts\/1290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/comments?post=1290"}],"version-history":[{"count":0,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/posts\/1290\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/media\/1291"}],"wp:attachment":[{"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/media?parent=1290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/categories?post=1290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tradersofcrypto.com\/news\/wp-json\/wp\/v2\/tags?post=1290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}