The Polygon Network suffered from a huge security breach yesterday that resulted in over $600m worth of assets being stolen.
Vast sums of ETH, BNB, USDC and a variety of tokens were transferred into three addresses on the Binance Smart Chain, Ethereum, and Poly Network.
Poly Network announced the breach in a tweet on August 10. The tweet included the hacker’s wallet addresses, and called on users to blacklist the addresses.
Poly Network Suffers Huge Blow
According to Poly Network, the hacker exploited a vulnerability between contract calls. The SlowMist security team analysed the attack and found the hacker initially used Monero before exchanging into other currencies. SlowMist also stated (via Google Translate):
Combined with the flow of funds and multiple fingerprint information, it can be found that this is likely to be a long-planned, organized and prepared attack.
The SlowMist team also said it has found the hacker’s IP address, mailbox, and device fingerprint.
Poly Network received a significant amount of criticism aimed at their security in the aftermath. Security researcher and Ethereum developer Mudit Gupta said:
This was not a DeFi or smart contract hack but a traditional key compromise combined with irresponsible design decisions taken by Poly Network.
Changpeng Zhao, the CEO of Binance, also posted a tweet about the attack:
Hacker May Still Return Assets
After the initial transactions, the hacker made smaller transactions accompanied by comments. In one transaction, they said: “Not so interested in money, now considering returning some tokens or just leaving them here.”
As users flooded the transactions with comments asking the hacker to transfer them funds, the hacker also said: “What if I make a new token and let the DAO [Decentralised Autonomous Organisation] decide where the tokens go?”
Later on August 10, Poly Network followed up with a letter addressed directly to the hacker, in which it described the attack as “the biggest one in DeFi history.”
The network urged the hacker to return the assets, also stating: “Law enforcement in any country will regard this as a major economic crime and you will be pursued.”
Since then, the hacker made a further transaction, in which they stated: “Ready to return the funds!”
The hacker said in another transaction: “It’s already a legend to win so much fortune. It will be an eternal legend to save the world. I made the decision, no more DAO.”
Poly Network followed up by directing the hacker where to deposit any stolen funds. At the time of writing, the hacker does not appear to have deposited any assets.