Cross-chain bridge platform Poly Network on July 2, was attacked by a hacker, and the exploit affected 57 crypto assets. This has prompted the network to urge users to withdraw their funds.
In a tweet dated July 2, Poly Network confirmed it was the latest victim of decentralized finance (DeFi) exploit after attackers were able to manipulate an intelligent contract function on the cross-chain bridge protocol. The company also announced it would temporarily suspend services.
In its most recent update, the team disclosed that 57 crypto assets on ten blockchains, including Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKX, and Metis, were affected by the exploit.
PeckShield reported that the exploiter had transferred at least $5 million worth of cryptocurrency.
“We have initiated communication with centralized exchanges and law enforcement agencies and requested their assistance,” the team reported in an update dated July 3.
It also recommended that project teams and token holders withdraw liquidity and release their liquidity provider tokens.
34B Poly Network Exploit
According to DeFi security analyst Arhat, the exploit resulted from a smart contract flaw that allowed the perpetrator to “craft a malicious parameter containing a fake validator signature and block header.”
This was accepted by the smart contract, bypassing the verification process and allowing the perpetrator to issue tokens from Poly Network’s Ethereum pool to their address on other chains, including Metis, BNB Chain, and Polygon.
The procedure was repeated for other chains, resulting in the accumulation of tokens.
The analyst stated that the hacker’s wallet once contained approximately $42 billion worth of tokens, but they could only convert and steal a fraction of them.
“This way, the hacker was able to mint billions of tokens on various blockchains that did not exist before and transfer them to their own wallet addresses.”
Dedaub, a provider of blockchain security solutions, labeled the latest Poly Network exploit a “34 billion Poly Network hack.”
Dedaub identified flaws in the protocol’s multisig, noting that it had a simplistic “3 of 4” multi-signature arrangement for two years and adding:
“Looking at the final event we found that the private keys to the addresses marked were compromised.”
Dedaub described the attack as uncomplicated, as no logic flaws were exploited. It added that Poly Network’s response time of seven hours cost the platform $5.5 million in misappropriated cryptocurrency. Fortunately, the lack of liquidity in several tokens averted additional losses.
The CEO of Binance, Changpeng Zhao, reassured customers following the attack by stating, “This does not impact Binance users. We are unable to accept deposits from this network.”
The Poly Network was attacked in August 2021 in one of the industry’s largest-ever exploits. Over $600 million was stolen by hackers, who were revealed to be affiliated with the North Korean hacking group Lazarus Group.
