Cryptocurrency Heist: How Hackers Stole $613 Million in Digital Tokens From Poly Network

Poly Network is a decentralised finance (DeFi) platform that facilitates peer-to-peer transactions.

Updated: 12 August 2021 18:06 IST

Cryptocurrency Heist: How Hackers Stole $613 Million in Digital Tokens From Poly Network

A lesser-known name in the world of cryptocurrency, Poly Network is a decentralised finance

Highlights

The hacker or hackers has not yet been identified
SlowMist said the heist was likely to be long-planned
The attackers stole funds in more than 12 different cryptocurrencies

Hackers pulled off the biggest ever cryptocurrency heist on Tuesday, stealing $613 million (roughly Rs. 4,550 crores) in digital coins from token-swapping platform Poly Network, only to return $342 million (roughly Rs. 2,540 crores) worth of tokens less than 24 hours later, the company said. Here's what we know so far about the heist.

What is Poly Network?

A lesser-known name in the world of cryptocurrency, Poly Network is a decentralised finance (DeFi) platform that facilitates peer-to-peer transactions with a focus on allowing users to transfer or swap tokens across different blockchains.

Thinking of Buying Cryptocurrency? Here's How You Do It

It was not immediately clear from Poly Network's website where the platform is based or who runs it. According to specialist crypto website Coindesk, Poly Network was launched by the founders of Chinese blockchain project Neo.

How did hackers steal the tokens?

Poly Network operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tokens are swapped between the blockchains using a smart contract which contains instructions on when to release the assets to the counterparties. Ethereum price in India stood at Rs. 2.4 lakhs as of 6pm IST on August 12.

One of the smart contracts that Poly Network uses to transfer tokens between blockchains maintains large amounts of liquidity to allow users to efficiently swap tokens, according to crypto intelligence firm CipherTrace.

Poly Network tweeted on Tuesday that a preliminary investigation found the hackers exploited a vulnerability in this smart contract.

According to an analysis of the transactions tweeted by Kelvin Fichter, an Ethereum programmer, the hackers appeared to override the contract instructions for each of the three blockchains and diverted the funds to three wallet addresses, digital locations for storing tokens. These were later traced and published by Poly Network.

The attackers stole funds in more than 12 different cryptocurrencies, including ether and a type of bitcoin, according to blockchain forensics company Chainalysis.

A person claiming to have perpetrated the hack said they had spotted a "bug," without specifying, and that they wanted to "expose the vulnerability" before others could exploit it, according to digital messages posted on the Ethereum network published by Chainalysis. Reuters could not verify the authenticity of the messages.

Where did the money go?

As of late Wednesday, the hackers had returned $342 million (roughly Rs. 2,540 crores) of the assets, Poly Network said, but $353 million (roughly Rs. 2,620 crores) was outstanding. It is unclear where the remaining assets have gone.

Coindesk reported on Tuesday that the hackers had tried to transfer assets including tether tokens from one of the three wallets into liquidity pool Curve.fi, but that transfer was rejected. About $100 million (roughly Rs. 740 crores) has been moved out of another of the wallets and deposited into liquidity pool Ellipsis Finance, Coindesk also reported.

Curve.fi. and Ellipsis Finance could not immediately be reached for comment.

Who is the hacker?

The hacker or hackers has not yet been identified.

Cryptocurrency security firm SlowMist said on its website that it has identified the attacker's mailbox, internet protocol address, and device fingerprints, but the company has not yet named any individuals. SlowMist said the heist was "likely to be a long-planned, organised and prepared attack."

Despite the purported hacker posing as a so-called "white hat", an ethical hacker who aimed to identify the vulnerability for Poly Network and had "always" planned to give the money back, according to the messages published by Chainalysis, some crypto experts are skeptical.

Gurvais Grigg, chief technology officer at Chainalysis and former FBI veteran, said it was unlikely that white hat hackers would steal such a large sum. He said they had probably returned some of the funds because it had proved too difficult to convert them into cash.

"It's hard to know the motivation ... Let's see the if they return the whole amount," he added.

Interested in cryptocurrency? We discuss all things crypto with WazirX CEO Nischal Shetty and WeekendInvesting founder Alok Jain on Orbital, the Gadgets 360 podcast. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.