In a recent attack on the cross-chain bridge platform Poly Network, hackers exploited compromised private keys to manipulate a smart contract function, resulting in the issuance of billions of tokens for profit. Poly Network confirmed the exploit and temporarily suspended its services. The attack affected 57 crypto assets across multiple blockchains, including Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKx, and Metis.
The extent of the stolen funds was not specified, but it was reported that the hacker transferred at least $5 million worth of crypto out. Poly Network initiated communication with centralized exchanges and law enforcement agencies for assistance. They advised project teams and token holders to withdraw liquidity and unlock their LP tokens.
According to DeFi security analyst @0xArhat, the exploit leveraged a smart contract vulnerability that allowed the hacker to craft a malicious parameter containing a fake validator signature and block header. This enabled the issuance of tokens from Poly Network’s Ethereum pool to their own address on other chains. The process was repeated across different chains, resulting in the accumulation of a significant token stash.
Blockchain security solutions provider Dedaub identified weaknesses in Poly Network’s multi-signature arrangement, highlighting that the private keys to the marked addresses were compromised. Dedaub stated that the attack was not complex, as no logic bugs were exploited. Poly Network’s slow response time of seven hours cost the platform $5.5 million in stolen crypto, although limited liquidity prevented further losses.
Poly Network previously experienced a major exploit in August 2021, where hackers associated with the Lazarus Group made off with over $600 million. The recent attack underscores the need for the industry to adopt a more secure approach to prevent such incidents.
Binance CEO Changpeng Zhao clarified that this exploit did not affect Binance users, as they do not support deposits from the Poly Network. Cointelegraph reached out to Poly Network for more information but did not receive a response at the time of publication.
This incident raises concerns about smart contract security and highlights the ongoing challenges in securing decentralized finance platforms. The industry must continue to prioritize security measures and conduct thorough audits to protect users’ funds.