The $600M Poly Network Hack — Simply Explained
On Tuesday, August 8th 2021, there was the biggest ever cryptocurrency heist which resulted in over $613 million dollars stolen from the DEFI Exchange, Poly Network. In a bizarre twist the hackers then return $342 million of the stolen funds back to the network. This article aims to explains how the hacker was able to exploit Poly Network and take millions of dollars in cryptocurrency
What is Poly Network?
The Poly Network is a decentralized finance (DeFi) platform that provides interoperability between multiple blockchains by using smart contracts. In layman terms, this allows users to transfer and swap tokens across different blockchains. The Poly Network had already integrated Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa and Binance Smart Chain.
For example, a user of the Poly Network could transfer tokens such as bitcoin from the Ethereum blockchain to the Binance Smart Chain, perhaps looking to access a specific application.
How the hacker stole the cryptocurrency — Simplified
Poly Network operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tokens are swapped between the blockchains using a smart contract which contains instructions on when to release the assets to the counter-parties. The hack can be explained with an easy analogy of a traditional currency brokerage company.
The Accountant and the Currency Broker
Imagine that there was a currency broker business that allowed customers to swap between Dollars and Euros. For the business to operate there are two different types of employees. are two different roles:
The Accountant — The Accountant is the only user that access to the client’s bank accounts. The accountant’s role is to facilitate any currency exchange orders given to him by the Currency Broker. The Accountant also has to follow all orders given to him by the Currency Broker.
Currency Broker — The Currency Broker, receives orders from customers, determines if the transactions are valid and if they are valid, instructs the Accountant to perform the transaction.
If you wanted to swap Dollars for Euros, you would be able to contact the Currency Broker and place an order for the amount of Euros you want. The Currency Broker would then be able to view you current Dollar balance, and if you had sufficient funds, instruct the accountant to withdraw your Dollars from your account and give you Euros.
The hacker was effectively able to ‘control’ the Currency Broker and make him tell the Accountant, that the Accountant now reports to the hacker and should follow his instructions. In this analogy, I imagine the hacker holding the Currency Broker being held at gunpoint by the hacker and made to give the instructions to the Accountant.
As it is only the role of the Accountant to process the transaction, and not verify their legitimacy, the hacker is able to instruct the Accountant to drain users funds into an account of his choosing. If you are more technically inclined you can read how this worked in a more technical explanation here.
Like all DeFi protocols, the Poly Network, is open source and different to traditional finance, in that it is not under control by any person or company. The Poly Network runs through smart contracts and algorithms, meaning that any ‘hack’ or exploit of the system results in the irreversible loss of funds for the users. It is not possible for any of the blockchain networks to simply void the transaction and return the money to the users.
The Hacker Returns The Funds
Two days after the hack occurred, $342 million of crypto-assets had been returned to users on the Poly Network.
In a Q&A embedded within a digital currency transaction on Wednesday, the hacker allegedly said he had completed the exploit “for fun”. “When spotting the bug, I had a mixed feeling,” the hacker said. “Ask yourself what to do had you facing so much fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion!”
Time will tell to see if the hacker will return all of the funds that he was able to exploit from the Poly Network. With the current boom of DeFI, there are most likely a large amount of other project that have a large number of vulnerabilities that can be exploited by hackers, resulting in the loss of user’s funds.
The hack is a stark reminder for crypto users on the importance of completing due diligence with any DeFi protocol that they are looking to interact with.
