According to the blockchain security firm Dedaub, the Poly Network has once again fallen victim to an exploit, this time due to compromised private keys.
Additional information is emerging regarding the recent attack on the cross-chain bridge platform Poly Network, which enabled a hacker to generate billions of tokens for their own financial gain.
Poly Network took to Twitter on July 2 to confirm that it had fallen victim to a DeFi exploit. The attackers successfully manipulated a smart contract function on the cross-chain bridge protocol, leading to the suspension of services temporarily.
In the latest update, the Poly Network team disclosed that the exploit had impacted 57 different cryptocurrencies across 10 blockchains, including Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKx, and others like Metis.
The team did not provide specific details regarding the exact amount stolen in the attack. However, earlier reports from Peckshield indicated that the attacker had transferred at least $5 million worth of cryptocurrencies.
In an update on July 3, the team stated that they have already started communicating with centralized exchanges and law enforcement agencies, seeking their assistance.
Additionally, the team advised project teams and token holders to withdraw liquidity and unlock their LP (liquidity provider) tokens.
According to DeFi security analyst @0xArhat, the exploit occurred due to a vulnerability in the smart contract. The hacker was able to manipulate the system by creating a malicious parameter that included a fake validator signature and block header.
This manipulated parameter was accepted by the smart contract, allowing the hacker to bypass the verification process. As a result, they were able to issue tokens from Poly Network's Ethereum pool directly to their own address on different chains, including Metis, BNB Chain, and Polygon.
The hacker repeated this process on other chains, accumulating a substantial stash of tokens.
According to the analyst, at a certain point, the hacker's wallet contained approximately $42 billion worth of tokens. However, they were only able to convert and steal a small portion of this amount.
The recent security breach of Poly Network has been given the name "34 billion Poly Network hack" by Dedaub, a blockchain security solutions provider.
Dedaub identified vulnerabilities in the protocol's multi-signature (multi-sig) feature, highlighting that it had a straightforward "3 of 4" multi-signature arrangement for over two years.
According to Dedaub, the attack on Poly Network was not complex, as it did not involve any exploitation of logic bugs. Dedaub also noted that Poly Network's response time was slow, taking approximately seven hours, resulting in a loss of $5.5 million in stolen cryptocurrencies. Fortunately, due to a lack of liquidity in several tokens, further losses were prevented.
In response to the attack, Changpeng Zhao, the CEO of Binance, provided reassurance to customers by stating that the incident would not have any impact on Binance users. He clarified that Binance does not support deposits from the affected network.
In a previous incident, the Poly Network experienced one of the largest exploits in the industry back in August 2021. Hackers, who were later discovered to be associated with the Lazarus Group, a North Korean hacking collective, managed to steal over $600 million from the platform.
Comments