A significant security breach has struck Poly Network, the cross-chain interoperability platform.
Due to the lack of liquidity and prompt response from METIS developers who swiftly locked the minted METIS tokens, the attackers were not able to fully cash-in on their loot.
Poly Network reacted to the hack by suspending transactions on their platform. They also called for support from cybersecurity professionals, appealing for assistance and expertise in resolving the incident.
It was revealed from a spreadsheet shared by the interoperability protocol that the hacker minted 57 assets across 10 blockchains. They also shared the transactions and the wallet addresses holding the assets publicly in a follow-up tweet.
“To minimize further risks, we have reached out to the majority of project teams and urged them to promptly withdraw liquidity from decentralized exchanges. We also strongly advise users who hold the affected assets to expedite the process of withdrawing liquidity and unlocking their LP tokens.
“We deeply appreciate your patience and understanding during this challenging period,” said Poly Network via Twitter
Analysts weigh in on the attack
Blockchain security solutions provider Debaub also shed more light on the vulnerability that left room for the hack. They explained that Poly Network had a relatively simple 3 of 4 multisig arrangement, wherein transactions required approval from three out of four private keys. Debaub further revealed that the private keys associated with specific addresses were compromised, allowing the attackers to gain unauthorised access.
They then used the compromised keys to sign proof of being owed BNB tokens, netting them approximately $5.5million.
Poly Network is no stranger to exploits of this calibre. In August 2021, Lazarus group stole $600million across three blockchains on Poly Network. The attackers capitalised on a vulnerability between contract calls to cart away with about $273 million worth of ERC-20 Ethereum, $85 million in USDC on the Polygon Network and $253 million on Binance Smart Chain.
At the time, Blockchain security firm SlowMist described the attack as well-cordinated.
“Combined with the flow of funds and multiple fingerprint information, it can be found that this is likely to be a long-planned, organized and prepared attack.”