Poly Network advises users to withdraw funds following a hack impacting 57 cryptocurrencies.

Further details are coming to light following a July 2 attack on cross-chain bridge platform Poly Network, with a hacker being able to issue billions of tokens out of thin air for profit.

In a July 2 tweet, Poly Network confirmed it became the latest decentralized finance (DeFi) exploit victim after attackers managed to manipulate a smart contract function on the cross-chain bridge protocol, adding it will be temporarily suspending services.

In the most recent update, the team revealed that the exploit affected 57 crypto assets on 10 blockchains, including Ethereum, BNB Chain , Polygon, Avalanche, Heco, OKX and Metis.

It did not specify how much was stolen in the attack, but PeckShield earlier reported that the exploiter had transferred out at least $5 million worth of crypto. A July 3 report from CertiK later estimated the attack led to around $10 million worth of crypto collected across five externally owned addresses.

“We have already initiated communication with centralized exchanges and law enforcement agencies and sought their assistance,” the team stated in a July 3 update.

It also advised project teams and tokenholders to withdraw liquidity and unlock their liquidity provider tokens.

‘34 billion’ Poly Network hack breakdown

DeFi security analyst Arhat said the exploit resulted from a smart contract vulnerability that allowed the hacker to “craft a malicious parameter containing a fake validator signature and block header.”

This was accepted by the smart contract, enabling the hacker to bypass the verification process and allowing them to issue tokens from Poly Network’s Ethereum pool to their own address on other chains, such as Metis, BNB Chain, and Polygon.

The process was repeated for other chains enabling the token stash to pile up.

At one point, the hacker’s wallet held around $42 billion worth of tokens, but they were only able to convert and steal a fraction of them, said the analyst.

“This way, the hacker was able to mint billions of tokens on various blockchains that did not exist before and transfer them to their own wallet addresses.”

Blockchain security solutions provider Dedaub dubbed the latest Poly Network exploit the “34 billion Poly Network hack.”

Getting to the bottom of the “34 billion” Poly network hack with a technical postmortem. TL ; DR Poly network had a simple 3 of 4 multisig arrangement over 2 years! Looking at the final event we found that the private keys to the addresses marked were compromised. pic.twitter.com/Y0eMJXcYso

— Dedaub (@dedaub) July 2, 2023

Dedaub noted weaknesses in the protocol’s multisig, stating that it had a simple “3 of 4” multisignature arrangement over two years, adding:

“Looking at the final event we found that the private keys to the addresses marked were compromised.”

Dedaub explained that the attack wasn’t complex, as no logic bugs were exploited. It added that Poly Network took seven hours to respond, which cost the platform $5.5 million in stolen crypto. Luckily, a lack of liquidity in many of the tokens prevented further losses.

Related: Over $204M lost to DeFi hacks and scams in Q2

Following the attack, Binance CEO, Changpeng Zhao reassured customers, stating that “This does not affect Binance users. We do not support deposits from this network.”

Poly Network got rekt again; allegedly because of compromised hot keys. It’s going to keep happening untill our industry changes our approach to security. Smart contract audits only scratch the surface. ps Poly network has NOTHING to do with Polygon. https://t.co/n1qI48b4Kb

— Mudit Gupta (@Mudit__Gupta) July 2, 2023

Cointelegraph reached out to Poly Network for further details but received no response by publication.

In August 2021, the Poly Network was attacked in one of the industry’s largest-ever exploits. Hackers — later revealed to be linked with North Korean hacking collective, the Lazarus Group — made off with over $600 million.

Magazine: Tornado Cash 2.0: The race to build safe and legal coin mixers

Translation:

This is a paragraph containing a strong tag within it. The content inside the strong tag is “Magazine: Tornado Cash 2.0: The race to build safe and legal coin mixers”.

We will continue to update Phone&Auto; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

DeFi

9 Protocols Slam LayerZero's 'wstETH' Token Is It Really Just Proprietary?

Fashionistas, take note WstETH is a bridged version of Lido's stETH that has yet to gain approval from Lido DAO.

DeFi

PancakeSwap V3 launched on Ethereum Layer 2 Linea Mainnet

PancakeSwap v3 revolutionizes the Swap and Liquidity Provision features, empowering users to effortlessly trade token...

DeFi

Kwon sentenced to 4 months in Montenegro for fake passport.

Do Kwon's coworker and former Chief Financial Officer of Terraform Labs, Han Chong-joon, was charged with him and rec...

DeFi

Italy's Central Bank chose Polygon and Fireblocks DeFi Project to assist institutions in exploring tokenized assets.

This groundbreaking initiative aims to empower Italian banks, asset managers, and financial institutions, including t...

DeFi

September 2023 sets exploit record, DAOs democratize science: Finance Redefined

DeFi’s top 100 tokens by market capitalization experienced a highly positive week, as the majority of tokens recorded...

Market

SOL Token Gains Momentum Despite Crypto Market Downturn

Solana's total value locked has increased by 13% in just seven days, accompanied by an impressive 24% rise in decentr...