August 11, 2021: The Half Billion Heist 🦹💰
Poly Network Hacked for $600MM
$600MM drained in a hack of Poly Network. This ranks as the the second largest DeFi rug, second only to this fleecing:
Poly
The first thing every DeFi user did upon hearing about the Poly network hack was to rush to Polygon and make sure their TriCrypto bags were safe. Except, this hack happened not on Polygon, but on something called Poly Network?
One of the weirdest parts of cryptocurrency is that you can spend every waking hour studying it and think you understand the lay of the land, only to find there’s entire ecosystems you’ve never even heard of. What’s more, apparently enough people had heard of it to attract half a billion dollars worth of value? Seemingly, the first time most people had ever heard of Poly Network was when they posted this announcement.
I couldn’t even find reference to it on CoinGecko or CoinMarketCap. After a little digging, I uncovered at least some evidence this network existed before yesterday, serving primarily as cross-chain bridges between 11 blockchains, most heavily Ethereum, Binance Smart Chain, Huobi Eco-Chain and OKExChain:
The hack was a bit tough to decipher given that it occurred across so many networks, in many cases lacking good tooling to aid debugging.
Early indication was that it was as simple as a single signer on what should have been a multisig address…
The actual mechanics turn out to be much more incredible, essentially creating a collision to spoof calls across chains. This brilliant thread breaks it down in detail:
Another great breakdown:
The TL/DR, the moral of the story:
Or for the laziest among us who prefer the movie version:
The Greatest Show on Earth
Netflix ($NFLX) stock dumped yesterday, presumably as everybody’s eyeballs were tuned to the hack.
Immediately following the hack, all eyes turned to watch the getaway occur in real time. The unlikely Netflix killer in this case turned out to be Etherscan, where bystanders observed the hacker writing messages directly into the blockchain.
Many followed the action using a script @banteg threw together to decipher the messages.
Good to know that if Twitter ever, say, bans talk of Ethereum, we can just pay gas fees to drop tweets directly on the blockchain. At 80 gwei it would cost a lot to say good morning to each other, but free speech has never been cheap.
Curve + Tether
With $600MM in funds rocketing across blockchains, Curve was a key path in the hacker’s escape route due to its central position within DeFi. At one point the hacker tried to dump much of the funds into the trusty Curve 3pool. Had the funds stopped there, the hacker could have lived a luxurious lifestyle even if they never boosted their rewards.
As it turns out, the hacker was using the pool instead to convert funds into the more censorship-resistant DAI, correctly assuming the funds could be too easily repossessed if left as Tether or USDC. Indeed, thanks to the quick thinking of Tether, $33MM worth of funds were frozen just blocks before they could deposit to Curve.
The quick reaction was impressive, though presumably some veCRV holders were Jonesing for their cut of the dirty money.
Of course this raised complaints from the people within DeFi who are of the opinion that code is law. In this case the code-law gives Tether the clear authority, and in this case we can rejoice that they exercised this authority for good.
Compare/contrast with USDC, which took no action as they were presumably still sleeping while the whole thing unfolded. Were markets rational in real time, this sort of lethargic execution should negatively affect Circle’s IPO prospects. Fortunately for Circle’s prospects the sophisticated, accredited IPO investors get their news from sources like CNBC, so they’ve scarcely even heard of Ethereum.
Dear Hacker
We don’t yet know how much the hacker will end up getting to keep, but all indications are that the hacker’s personal portfolio has successfully outpaced inflation.
With no better options, Poly Network penned a strongly worded letter.
In this case… it may have worked? The hacker quickly had a change of heart shortly after the hack, declaring they were “NOT SO INTERESTED IN MONEY” and “READY TO RETURN THE FUND!”
By some reports the hacker is in fact returning some funds.
It’s not clear where victims are best off looking for restitution, local law enforcement, Poly Network, or just begging the hacker directly for money.
Surely more will develop over the coming days, but we sincerely hope anybody affected is OK.
Aftermath
Despite concerns such a large hack would have seismic consequences around the cryptocurrency ecosystem, particularly at a time when lobbying efforts are actively underway in DC. So far, the community has seen relatively little backlash. Senator Warren must be in absolute disbelief, as the cleanup is happening at the grassroots level among the community without need for a bailout.
We saw some calls for increased regulation, but the shadowy super coders took the opportunity to present a strong case for why the system can be vulnerable to multimillion dollar hacks while simultaneously being our greatest hope.
For more details on the hack, check the Poly Network blog and stay safe!
For more info, check our live market data at https://curvemarketcap.com/ or our subscribe to our daily newsletter at https://curve.substack.com/. Nothing in our newsletter can be construed as financial advice. Author is a $CRV maximalist and has a stake in 3pool.