Whoever drained roughly $600m in cryptocurrencies from Poly Network is said to have returned at least $260m so far.
The cyber super-heist, revealed yesterday, was described by Poly Network as the largest of its kind in decentralized finance history. The Chinese biz, which handles the exchange of cryptocurencies and other tokens between various blockchains, today said more than a third of the money pilfered from its systems has been returned.
Here’s what Poly Network had to say earlier:
$260 million (As of 11 Aug 04:18:39 PM +UTC) of assets had been returned:
The remainings are $269M on Ethereum, $84M on Polygon
— Poly Network (@PolyNetwork2) August 11, 2021
Poly Network said the crook was able to interfere with the execution of smart contracts – typically, small programs that automatically run to fulfill agreements between parties – that are used by the platform to exchange people’s tokens and coins. Thus, funds were siphoned off in transit as opposed to being extracted directly from digital wallets.
You can find more technical detail here by security analysts Slowmist, and here by blockchain watchers Chainalysis.
“The hacker exploited a vulnerability, which is the _executeCrossChainTx function between contract calls,” a spokesperson for Poly Network told El Reg. “Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract. It is not the case that this event occurred due to the leakage of the keeper’s private key.”
The team at Chainalysis put it more bluntly: “The attacker pulled off the heist by taking advantage of an exploit in the smart contracts Poly Network uses to carry out cross-chain transactions.”
Earlier, Poly Network publicly pleaded for the thief to return all of the stolen assets, and urged crypto-exchanges and others to refuse to handle transactions from specific wallet addresses understood to be holding the loot or otherwise involved in the information superhighway robbery. At least tens of millions of dollars in subsequent transfers were blocked.
Someone likely to be the crook claimed the theft was carried out not to steal money. Instead, we’re told, it was more of a prank to teach Poly Network a lesson in computer security by publicly exposing a vulnerability, and that the thief always intended to hand back their plunder. Yeah, right. Totally, absolutely and entirely believable.
Another motivating factor for the miscreant may have been that Slowmist claimed it had obtained “the attacker’s mailbox, IP, and device fingerprints through on-chain and off-chain tracking.”
In other words, the net may have been closing in on the thief. Poly Network had threatened legal action, and warned that police forces around the world would not allow this mega-heist to stand. The thief may have also found it tricky to launder or fence their huge pile of purloined assets.
What looks like an FAQ regarding the heist was embedded in the metadata of some of the transactions returning the stolen tokens, according to Dr Tom Robinson, chief scientist at crypto-coin analysis house Elliptic.
“Q: Why returning? A: I am not very interested in money,” the suspected crook wrote in that self-directed question-and-answer session on the Ethereum blockchain. “I know it hurts when people are attacked, but shouldn’t they learn something from those hacks? I announced the returning decision before midnight so people who had faith in me should [have] a good rest ;)” ®