User:Ulvpn/sandbox

This is the user sandbox of Ulvpn. A user sandbox is a subpage of the user's user page. It serves as a testing spot and page development space for the user and is not an encyclopedia article. Create or edit your own sandbox here. Other sandboxes: Main sandbox | Template sandbox Finished writing a draft article? Are you ready to request review of it by an experienced editor for possible inclusion in Wikipedia? Submit your draft for review!

On August 10th, 2021, Poly Network was attacked by anonymous white hat hackers, causing over $610 million in digital crypto assets at the price of that date to be transferred to hacker-controlled addresses. Eventually, all assets were returned to Poly Network over the next 15 days. This was the largest security incident in DeFi's history in terms of the value of stolen assets at the price of that date.

Poly Network is an interoperability protocol for heterogeneous blockchains, which lets users swap tokens from one digital ledger to another. Poly Network works by facilitating exchange between several blockchains as users trade one cryptocurrency for another, such as trading Bitcoin for Ether. Currently, Poly Network implements interoperability between 11 heterogeneous chains including Bitcoin, Ethereum and so on.

Since the launch of the main net until the attack, Poly Network has transferred $10 billion in digital assets between blockchains, with a TLV of nearly $1 billion across the Poly Network, of which the white hat hackers transferred approximately $610 million of the most valuable digital assets to three addresses controlled by the hacker on Ethereum, Binance Smart Chain and Polygon.

After the attack, the Poly's team asked exchanges and miners to be aware of the flow of stolen tokens and called for the hacker's transactions to be stopped, Tether froze $33 million worth of USDT. In an open letter, the Poly team wanted to establish communication with the hacker and urge the hacker to return the stolen tokens.

The hacker(s) announced on August 11, 2021 that they had been planning to return the tokens and the purpose of the theft was to reveal vulnerabilities and secure Poly Network. They posted a self Q&A to communicate with the public by embedding messages in transactions with their addresses.

Through transactions on Ethereum hackers expressed no interest in money and considered returning the tokens or leaving it to the DAO to decide what to do with these tokens. Eventually, the hacker decided to return the tokens and asked the Poly team to prepare multi-signature address.

After receiving parts of tokens, Poly Network started to address the hacker(s) as "Mr. White Hat" and offered to reward them with $500,000 bug bounty and the position of "chief security advisor" of Poly Network, as a strategy to ensure safe return of the affected assets.

The hackers, however, declined the offer and instead begun returning the assets to the multi-signature wallet created by Poly Network. On August 16, Poly Network announced that mainnet upgrade went live and also expressed that they hoped Mr. White Hat would transfer the private key as soon as possible for complete user asset recovery.

On August 25, the Poly Network Exploit was finally ended with the hacker releasing the last private key. Later on, Poly Network recovered all user assets on August 26 and fully restored cross-chain services on September 1, 2021.

An initial investigation disclosed that the hackers exploited a "vulnerability between contract calls" in Poly Network's system and transferred millions of dollars in tokens to multiple separate cryptocurrency wallets. This includes 2,858 ether tokens worth about $267m, $252m of Binance coins and around $85 million in USDC tokens.

According to SlowMist, the hack was executed in the following way:

Poly Network has a privileged contract called ethCrossChainManager, which has the right to trigger messages from another blockchain. There is a feature that allows parties to perform cross-chain transactions. This feature validates the transaction request and adds it to the blockchain.

The key flaw is that this function can be used to call on the ethCrossChainData contract, which maintains a list of public keys that authenticate incoming data from other chains. The EthCrossChainData contract is owned by ethCrossChainManager. Therefore, the malicious party can trick ethCrossChainManager into calling ethCrossChainData and pass the unique owner check. With the correct data, they can trigger the function of changing the public key.

In Q&As posted on Ethereum the anonymous hacker claimed he or she carried out the heist for fun and to encourage Poly Network to improve its security. Poly Network team have accepted the explanation and called the hacker "Mr White Hat". Poly Network team also offered the hacker $500,000 worth of Ether as a bounty for the bug, and invited the hacker to be its chief security advisor. The alleged move has angered some in the security world who are worried that it might set a precedent for criminal hackers to white-wash their actions.

A white hat hacker Katie Paxton-Fear said that "labelling this hack as a white hat is really disappointing". Charlie Steele, former Department of Justice and FBI official, thought "Private companies have no authority to promise immunity from criminal prosecution," and "in this event where a hacker stole the $600m 'for fun' and then returned most of it, all while remaining anonymous, is not likely to lessen regulators' concerns about the variety of risks posed by cryptocurrencies."

Poly Network launched the global bug bounty program on Immunefi. The program aims at encouraging more security agencies and white hat organizations to participate in the audit of Poly Network's core functions, especially to address potential security risks. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System — the rewards range up to $100,000 for critical vulnerabilities.

Hacks such as this one are ultimately good for DeFi in the long run, as it will increase scrutiny, governance, and improve the security posture of the networks. In the short term, this high profile Poly Network hack will be jumped on by the ill-informed to denigrate the entire DeFi movement, and while lessons need to be learned for sure, people need to be aware of the progress made so far by the DeFi community is what is in intents and purposes less than a decade old.

• Poly Network official website
• White hat hacker's address on Ethereum
• White hat hacker's address on Binance Smart Chain
• White hat hacker's address on Polygon
• Record of hacker's Q&A