Introduction
n On August 10, 2021, an attack on the cross-chain platform Poly Network took place. This attack resulted in assets worth over $600M being stolen.
Poly Network is an interoperability protocol that allows different heterogeneous blockchains to work with each other on one platform. By hacking into the Poly Network platform, the attacker was able to drain funds from more than one blockchain. Hackers targeted Ethereum, Binance Smart Chain, and Polygon with the attack.
After the attack, Poly Network attempted to negotiate with the hacker via a naive statement released on Twitter. They tried to urge him to return the assets he had stolen. Interestingly enough, the hacker actually responded to the negotiation by creating embedded messages within Ethereum transactions- taunting the Poly Network team for their negligence. After publishing several messages on the blockchain (including a Q&A session where the hacker essentially interviews himself), the attacker went on to return most of the stolen funds.
The unusual trajectory of this incident begs the question of where to place the blame in these kinds of attacks. Many, including the attacker himself, argue that a cross-chain protocol like Poly Network should have never had this kind of vulnerability to begin with. He further argued that it is their responsibility to provide their users with the kind of security to prevent this from happening.
Before we discuss this further, let us first break down the details of the actual hack that took place.
The Hack
The Poly Network is “built to implement interoperability between multiple chains in order to build the next generation internet infrastructure. ” In simple terms, it is a collection of smart contracts that allow transactions to take place between different blockchains. A user could, for example, use Poly Network to transfer tokens from the Ethereum blockchain to the Binance Smart Chain.
Like most cross-chain projects, Poly Network had a privileged contract that determined when to trigger messages between the blockchains. Developers named the contract EthCrossChainManager and included an important function known as verifyHeaderAndExecuteTx in it. This function did three things:
- Verified the header of the block.
- Used a Merkle proof to check whether the transaction was a part of the block.
- Called another function named executeCrossChainTx which executes the target contract.
You can think of the EthCrossChainManager as the “boss” of the DeFi platform. It decides the execution of contracts after verifying the header of the block and the transactions within it. EthCrossChainManager is the keeper of another contract, called EthCrossChainData. This contract stored important information such as cross-chain data as well as the public key of the Keeper. The EthCrossChainData contract worked as an accountant to the boss, i.e EthCrossChainManager, storing important cross-chain information.
One major flaw in the design of the executeCrossChainTx function within the EthCrossChainManager was that it did not have a check. A check to prevent it from executing the EthCrossChainData contract- all it did was check if it was a contract.
The attacker exploited this vulnerability and passed a carefully crafted sighash to the verifyHeaderAndExecuteTx, which subsequently called the executeCrossChainTx function. This function then executed the EthCrossChainData contract’s function putCurEpochConPubKeyByte, a method which was used to store the address of the keeper.
By doing this, he was able to change the keeper of the EthCrossChainData contract to an address of his own. I.e.; convince the accountant that his boss was someone else). The attacker could then create transactions at will and withdraw any amount of funds from the contract. After modifying the keeper, the system then reverted all other normal transactions on the chain.
Aftermath
By the time the Poly Network community had discovered that assets had been compromised, over $600m worth of funds had been stolen. They then published the accounts which held the stolen assets, urging members of the blockchain community to blacklist tokens coming from them. Cryptocurrency firm Tether went on to freeze $33 million USDT connected with the hack as well.
Soon after, Poly Network released a statement on Twitter urging the hackers to return the assets they had stolen. The statement, beginning with “Dear hacker” was quickly met with ridicule for its naive approach to solving the problem- coming off as more of a desperate plea rather than the beginning of a negotiation.
The attacker was also an interesting case, going on to taunt the Poly Network team for their carelessness. Via blockchain explorer discovered several transactions on the Ethereum blockchain that included messages from the hacker’s address.The messages even included a Q&A where he discussed his motives behind the attack. He claimed that he did it just “for fun” and that he had no interest in the money—his sole goal was to teach Poly Network a lesson from these hacks.
As of 13 August, the responsible parties have returned almost all of the funds. Only the $33 million USDT that Tether froze remains.
Takeaways for the Blockchain Community
What was essentially the biggest hack in the history of cryptocurrency became a valuable lesson on the importance of security. It indicated just how powerless big organizations can become in the face of powerful hackers.
The transparent nature of smart contracts can make it very easy for someone to exploit them, while at the same time be a roadblock preventing them from cashing in their loot. Many believe the motivation for returning the stolen assets may have stemmed from this fear, instead of the more noble reason the attackers had painted. However, this is questionable in itself regarding the core philosophy of anonymity that blockchain stands on. If the fear of being tracked led the attackers to return their money, is this technology really anonymous?
Figuring out where to place the blame in these kinds of incidents is also difficult.Online, people greatly admired the hacker for the feat he achieved, supporting his views that this resulted from Poly Network’s negligence. Meanwhile, the attacker stole assets belonging to the general public, having no right to take them.
Regardless of whose fault it was, the key lesson put forth by this incident is that of security. This hack greatly established the importance of designing the architecture of your code. In this case, the hacker was able to steal millions of dollars worth of funds due to a design flaw that should have been taken care of.
We can no longer afford to cut corners in ensuring our smart contracts are rock-solid in every way- the likelihood of losing more than can be borne is far too big.
Poly Network got lucky this time, though there can be no guarantee of a favorable outcome in the next hack.
