Poly Network urges users to withdraw after affecting 57 crypto assets

More details are emerging following a July 2 attack on cross-chain bridge platform Poly Network, which resulted in a hacker being able to issue billions of tokens out of the air for profit.

In a July 2 Twitter post, Poly Network Confirmed It has become the victim of the latest DeFi exploit after attackers managed to manipulate a smart contract function on the cross-chain bridge protocol, saying it would temporarily suspend services.

In the most recent update, the team revealed The exploit affected 57 crypto assets across 10 blockchains – including Ethereum, BNB Chain, Polygon, Avalanche, Heko, OKEx and Metis, among others.

It did not say how much was stolen in the attack, but Peckshield first informed of that the exploiter had moved out at least $5 million worth of cryptocurrency.

“We have already initiated communication with centralized exchanges and law enforcement agencies seeking their assistance,” the team said in a July 3 update.

It also advised project teams and token holders to withdraw liquidity and unlock their LP (Liquidity Provider) tokens.

’34 Billion’ Poly Network Hack Breakdown

DeFi Security Analyst @0xArhat Said The exploit was the result of a smart contract vulnerability that allowed hackers to “craft a malicious parameter containing a fake verifier signature and block header”.

This was accepted by the smart contract, allowing hackers to bypass the verification process, allowing them to issue tokens from the Poly network’s Ethereum pool to their own addresses on other chains such as Metis, BNB Chain, and Polygon.

This process is repeated for the other chains thereby accumulating the token reserve.

The analyst said that at one point the hacker had roughly $42 billion worth of coins in his wallet, but he was only able to convert and steal a fraction of them.

“In this way, the hacker was able to create billions of tokens on different blockchains that did not exist before and transfer them to his wallet address.”

The latest Poly Network exploit has been dubbed the “34 Billion Poly Network Hack” by blockchain security solutions provider Dedab.

Getting to the bottom of the “34 billion” Poly Network hack with a technical postmortem.

tl;dr Doctor

Poly network had 3 out of 4 multisig simple setups in 2 years!

Looking at the last incident, we found that the private keys of the marked addresses had been compromised. pic.twitter.com/Y0eMJXcYso

— dedaub (@dedaub) 2 July 2023

Dedab noted weaknesses in the protocol’s multi-signature, saying it had a simple “3 out of 4” multi-signature arrangement over two years, adding:

“In looking at the last incident we found that the private keys of the marked addresses were compromised.”

Dedoub explained that the attack was not complex because no logic bugs were exploited. It states that Poly Network was slow to respond, taking up to seven hours, which caused the platform to lose $5.5 million in stolen cryptocurrency. Fortunately, the lack of liquidity in many coins prevented further losses.

Connected: DeFi hacks and scams caused over $204M in losses in Q2

Following the attack, Changpeng Zhao, CEO of Binance, reassured customers, They said that “this does not affect Binance users. We do not support deposits from this network.”

Poly Network gets Rect again; Allegedly due to compromised hot keys.

This will continue to happen until our industry changes its approach to security.

Smart contract audits only scratch the surface.

P.S. Poly network has nothing to do with polygon. https://t.co/n1qI48b4Kb

— Mudit Gupta (@Mudit__Gupta) 2 July 2023

Cointelegraph contacted Poly Network for more information but did not receive a response by the time of publication.

The Poly network was attacked once before in one of the industry’s biggest exploits in August 2021, when hackers, later revealed to be linked to the North Korean hacking group Lazarus Group, stole more than $600 million. Earned.

Magazine: Tornado Cash 2.0: The Race to Build a Safe and Legitimate Coin Mixer