- >News
- >What Can We Learn From That Bizarre $600m Poly Network Hack?
What Can We Learn From That Bizarre $600m Poly Network Hack?
The Poly Network hack was something of an embarrassment for crypto. At a time when champions of bitcoin and other cryptocurrencies are claiming they’re safer stores of value than the US dollar, the general public may have taken news of a $610 million cryptocurrency heist as a sign that crypto is anything but safe.
Yet the Poly Network hack — the biggest DeFi hack to date — is an interesting case study in cryptocurrency cybersecurity, if only because most of the $610 million was actually returned to the DeFi cross-chain trading platform. At the same time, Poly Network itself offered to hire the hacker — who it dubbed “Mr White Hat” — as its chief security advisor, given that he or she claimed the attack was only about highlighting a bug.
At the same time, the most recent research from the likes of Chainalysis and CipherTrace shows that cryptocurrency crimes and hacks actually declined in 2020, at a time when coins were becoming more valuable (and hence more desirable to hackers). However, with the impressive rise of DeFi over the course of 2021, it’s possible that the latest figures would show an overall rise in hacks and crime this year.
The Poly Network Hack: The ‘White Hat’ Hacker Who May Not Be So Friendly
Founded by NEO chief executive Da Hongfei, the Poly Network is a DeFi platform providing interoperability between numerous major chains, allowing users to transfer assets from, say, Bitcoin to Ethereum. It achieves this mostly via the use of smart contracts, which is precisely what the hacker exploited on August 10.
As security firm SlowMist reported on August 11, the attacker found a bug which enabled them to alter a smart contract, changing it so that it sent crypto to their address rather than the rightful Poly Network wallet. This account of the attack was seconded by Ethereum programmer Kelvin Fichter, who noted that the hacker took advantage of special privileges allowing for the modification of data, which ultimately resulted in the contracts ‘hacking themselves.’
Source: Twitter
By harnessing these design flaws, the hacker was able to redirect $610 million in the following cryptocurrencies:
-
ETH
-
WETH
-
WBTC
-
UNI
-
RenBTC
-
USDT
-
USDC
-
DAI
-
SHIB
-
FEI
-
BNB
-
Various BEP-20 Tokens
However, the actual exploit isn’t really the interesting part of this story, since what happened next is pretty out there. More importantly, it suggests that crypto is actually becoming safer.
As noted above, the hacker returned all of the stolen $610 million, save for $33 million in USDT, which was frozen by Tether. According to messages shared by the hacker via Ethereum transaction notes, the reason for the return is that they never intended to keep the ill-gotten funds, and that the attack was intended to highlight the Poly Network’s vulnerability while ‘safeguarding’ the funds from more malicious attackers.
Source: Twitter
Despite the hacker’s claims and the return of almost all of the funds, not everyone is actually convinced in their benevolence, even if Poly Network itself has been referring to them as “Mr White Hat” in messages. Numerous security experts believe that the funds were returned only because the attacker encountered difficulty in successfully laundering them.
Speaking to Bloomberg, Chainalysis’ Gurvais Grigg suggested that Poly Network doesn’t really have a favorable view of the hacker, and is merely trying to appease them via the use of the “Mr White Hat” label.
“While it still remains to be seen how this strange story will play out, I can say that this is not typical behavior of true white hat hacker(s),” he said, casting doubt on the attacker’s account of the exploit.
Likewise, Elliptic co-founder Tom Robinson raised the possibility that the hacker began a dialog with Poly only in the hopes of regaining access to the frozen 33 million USDT.
“It seems like the hacker wants to retain some control over the funds. It just feels to me like the hacker has a bit of an ego. He wants to retain some attention,” he said.
According to SlowMist, the evidence it uncovered indicates the hack was “likely to be a long-planned, organized and prepared attack.” Despite it apparently being long-planned, Chainalysis argues in a blog that the hacker must have been very naive to think they could have taken the funds successfully, without detection.
“Within minutes of the hack, crypto Twitter was ablaze with updates from countless industry operators, reporters, and anonymous sleuths tracking the attacker’s movement of the funds. It would have been virtually impossible for the attacker to move the funds anywhere without somebody broadcasting it,” the blockchain forensics firm wrote.
Overall Hacks Are Down, But Hacks in DeFi Are Rising
Indeed, while many may focus on the peculiar fact that the funds were returned, the real story behind the Poly Network hack is that it’s becoming increasingly difficult to successfully perpetrate cryptocurrency thefts.
“The good news is that the blockchain is transparent, and we, along with the cryptocurrency community, have our eyes on the funds,” said Grigg.
In fact, the claim that it’s becoming harder to hack crypto is supported by research. Most notably, Chainalysis’ Crypto Crime Report 2021 found that cryptocurrency related thefts and crimes fell substantially last year, from making up 2.1% of all transaction volume (in 2019) to making up only 0.34% (or $10 billion in volume).
Source: Chainalysis
Looking at the particular types of illicit activity, it’s apparent that stolen funds — i.e. from hacks — make up a very small percentage of total illegal transfer volume.
Source: Chainalysis
Basically, hacks have been declining since 2018, at least in terms of volumes stolen. They’re becoming harder to commit and harder to get away with, something also supported by CipherTrace’s most recent cryptocurrency crime report.
In 2020, proceeds from cryptocurrency crime — including thefts, hacks and fraud — declined to $1.8 billion, down from $5.4 billion in 2019. Again, this supports the view of a downwards trend in the past couple of years.
That said, while data for 2021 isn’t complete, preliminary reports suggest hacks are in fact increasing in one area: DeFi.
Back in May, CipherTrace released an update for the first four months of the year. Overall crypto crime (including fraud and theft as well as hacks) continued its decline, hitting $432 million by the end of April. Unfortunately, 56% of this figure — $240 million — comprised DeFi hacks, exceeding the $129 million hacked for the whole of 2020.
And again, on August 11, CipherTrace released yet another update, showing a very similar pattern. Overall crime had totalled only $681 million by the end of July, but DeFi hacks had increased to $474 million, confirming that cybersecurity exploits in this particular area of crypto are indeed surging.
“It shouldn’t come as a surprise that as the DeFi ecosystem expands, so are DeFi crimes,” Dave Jevans, CipherTrace’s chief executive officer, told Reuters.
“Just eight months into 2021 and DeFi hacks, thefts, and frauds have already surpassed the total DeFi crimes from 2020.”
Back in May, Jevans also told Reuters that “hackers will seek out projects that have launched without performing adequate security audits, exploiting loopholes encoded in the smart contracts.”
In light of the Poly Network hack, this comment proved highly prescient. And with the DeFi sector ballooning from $7.3 billion in TVL a year ago to $82 billion today (and $60 billion in May), it’s likely that it will remain prescient for some time to come. Still, with the transparency of blockchain technology and the gradual maturation of DeFi, hackers may (sooner or later) learn that crime really doesn’t pay.