PolyNetwork is an interoperability protocol that supports atomic cross-chain transactions between multiple large blockchains and has just been exploited to steal investor cryptocurrencies worth $600 million on Polygon, Binance Smart Chain, and Ethereum.
What Happened to PolyNetwork?
On the 10th of August, PolyNetwork announced that they were attacked at 8:38 a.m. Eastern Time. They immediately listed the addresses where anonymous hackers transferred funds on the ETH, BSC, and Polygon networks and asked the miners of the affected exchanges to blacklist them.
These include WBTC, WETH, RenBTC, DAI, UNI, SHIB, and FEI. In total, more than $600 million worth of cryptocurrencies were stolen, which could easily become the biggest DeFi hack to date.
In terms of dollar value, such DeFi hackers can be hacked using Mt. Gox and BitFinex exchanges, resulting in the theft of $500 million and $750 million in funds while hacking.
It was soon discovered that the hacker’s original source of money was Monero (XMR), a privacy-based coin, and then he converted it to ETH, BNB, and MATIC on the exchange.
Jay Hao, CEO of OKEx cryptocurrency exchange, assured the victims of the hack that he will resolve the situation:
“@OKEx is already on the case. We’re watching the flow of coins, and will do our best to manage the situation. Our wallet team will get in touch if we need more information.”
Analysis shows that the nature of the hack was a traditional compromising of user’s private keys, which was made easier due to Smart Contract design decisions by PolyNetwork.
One of the company’s involved smart contracts uses a single custodian wallet that allows the hacker to sign a contract to transfer all funds to their address after receiving the appropriate private key, which can be done in several ways. PolyNetwork also didn’t use Etherscan to review its smart contracts.
How Do Investors Avoid This?
As a developing field, DeFi still has many problems to solve and future scams, hackers, and exploits are very likely to emerge in the short term. There are some best practices for protecting investors from malicious people trying to steal their assets.
This also includes ensuring that the smart contract for the investment project you have chosen has been audited by a tech-savvy auditing organization with an immaculate record.
After saying he was prepared to refund the stolen funds from the infamous $610 million hack, the perpetrator has made the first transaction worth $1 million in USDC.
This came after the hacker dabbled with the idea of creating a new token and allowing the DAO to decide what to do with the substantial amount stolen.
Now, though, the hacker has stayed true to his word and has completed a transaction worth $1 million in USDC from his marked address to PolyNetwork’s wallet.
The team behind the DeFi project confirmed receiving the amount in a separate message. It reads:
“You are moving things to the right direction. We received 1+M USDC on Polygon. Did you ask us to encrypt the receiving addresses with your BookKeeper public key?”