Poly Network suffers $42billion exploit

A significant security breach has struck Poly Network, the cross-chain interoperability platform.

The attackers successfully minted 999 trillion Shiba Inu (SHIB) tokens, 24 billion Binance USD (BUSD) and numerous other altcoins, totalling a staggering $42billion in value.

Due to the lack of liquidity and prompt response from METIS developers who swiftly locked the minted METIS tokens, the attackers were not able to fully cash-in on their loot.

Dear users,

As we continue to address this situation, we regret to inform you that our services will remain temporarily suspended.
【1/7】

— Poly Network (@PolyNetwork2) July 2, 2023

Poly Network reacted to the hack by suspending transactions on their platform. They also called for support from cybersecurity professionals, appealing for assistance and expertise in resolving the incident. 

It was revealed from a spreadsheet shared by the interoperability protocol that the hacker minted 57 assets across 10 blockchains. They also shared the transactions and the wallet addresses holding the assets publicly in a follow-up tweet. 

“To minimize further risks, we have reached out to the majority of project teams and urged them to promptly withdraw liquidity from decentralized exchanges. We also strongly advise users who hold the affected assets to expedite the process of withdrawing liquidity and unlocking their LP tokens.

“We deeply appreciate your patience and understanding during this challenging period,” said Poly Network via Twitter 

Analysts weigh in on the attack

On-chain analyst, LookOnChain reported that the attacker managed to find some liquidity and had swapped 94B SHIB for 360 ETH, 495M COOK for 16 ETH and 15M RFuel for 27 ETH.

It seems that #PolyNetwork was attacked again, hackers minted a lot of assets.

Hackers have sold 94B $SHIB for 360 $ETH, 495M $COOK for 16 $ETH and 15M $RFuel for 27 $ETH.

And we noticed that hackers are transferring assets and 1 $ETH to new wallets, most likely for sale. pic.twitter.com/a8eqbgy1Vm

— Lookonchain (@lookonchain) July 2, 2023

Blockchain security solutions provider Debaub also shed more light on the vulnerability that left room for the hack. They explained that Poly Network had a relatively simple 3 of 4 multisig arrangement, wherein transactions required approval from three out of four private keys. Debaub further revealed that the private keys associated with specific addresses were compromised, allowing the attackers to gain unauthorised access.

They then used the compromised keys to sign proof of being owed BNB tokens, netting them approximately $5.5million.

Getting to the bottom of the "34 billion" Poly network hack with a technical postmortem.

TL ; DR

Poly network had a simple 3 of 4 multisig arrangement over 2 years!

Looking at the final event we found that the private keys to the addresses marked were compromised. pic.twitter.com/Y0eMJXcYso

— Dedaub (@dedaub) July 2, 2023

Poly Network is no stranger to exploits of this calibre. In August 2021, Lazarus group stole $600million across three blockchains on Poly Network. The attackers capitalised on a vulnerability between contract calls to cart away with about $273 million worth of ERC-20 Ethereum, $85 million in USDC on the Polygon Network and $253 million on Binance Smart Chain.

At the time, Blockchain security firm SlowMist described the attack as well-cordinated.

“Combined with the flow of funds and multiple fingerprint information, it can be found that this is likely to be a long-planned, organized and prepared attack.”