The $600M PolyNetwork Hack: What Exactly Happened and What Investors Should Be Aware of
PolyNetwork, an interoperability protocol enabling atomic-cross chain transactions between multiple major blockchains, was just exploited to steal $600 million worth of investor’s crypto on Polygon, Binance Smart chain, and Ethereum
What Exactly Happened?
As reported by CryptoPotato earlier today, PolyNetwork announced that they had been attacked at 8:38 am EST. They immediately listed the addresses to which the anonymous hacker had transferred their funds on the ETH, BSC, and Polygon networks, and called upon miners of the affected exchanges to blacklist them.
The ETH, BSC, and Polygon addresses involved show volumes of $266.5M, $252M, and $85M worth of crypto assets, respectively.
These include WBTC, WETH, RenBTC, DAI, UNI, SHIB, and FEI. This totals to over $600M worth of crypto having been stolen, easily making this the largest DeFi hack to date.
In dollar value terms, this DeFi hack is comparable to the Mt. Gox and BitFinex exchange hacks, which resulted in $500M and $750M of stolen funds at the time of the hacks.
It was soon discovered that the hacker’s initial source of funds was Monero (XMR), a privacy-based coin, which he then converted to ETH, BNB, and MATIC in the exchange.
CEO of crypto exchange OKEx, Jay Hao, has reassured victims that he is addressing the situation:
“@OKEx is already on the case. We’re watching the flow of coins, and will do our best to manage the situation. Our wallet team will get in touch if we need more information.”
Analysis shows that the nature of the hack was a traditional compromising of user’s private keys, which was made easier due to Smart Contract design decisions by PolyNetwork.
An involved smart contract belonging to the company used a single keeper wallet, which allowed the hacker to sign off on a contract transferring all funds to his address, after obtaining the relevant private key, which may have been done through various methods. PolyNetwork has also not verified their smart contracts using Etherscan.
How Do Investors Avoid This?
As a growing field, DeFi still has many problems to sort out, and future scams, hacks, and exploits are highly likely to take place in the near term. CryptoPotato has outlined some best practices to protect investors from malicious actors seeking to compromise their assets.
These include ensuring that smart contracts of your chosen investment project have been audited by tech-savvy auditing organizations with pristine track records. Such precautions could have saved many investors in the case of this recent, historically large hack.