Poly Network is back.
And the attack was a simple case of a compromised 3-of-4 multisig.
The team eventually acknowledged the attack, informing users that bridging services had been paused and making a call for help to the security community. In a follow-up, Poly clarified that “57 assets have been affected on 10 blockchains”
Prompting flashbacks of the first hack, which at the time totalled more than the entire rest of the leaderboard combined, initial reports used a notional value of $42B of minted assets.
But low liquidity on destination chains meant the attacker was only able to cash out a few million.
It seems we only ever hear of Poly Network when they’re hacked…
…who knew they were even still around?
In contrast to Poly’s last incident, this time appears to be a far simpler case of compromised keys; three of four multisig signers validated deposit proofs, granting the attacker access to funds.
The attack process involved locking a small amount of tokens on one chain, then withdrawing a larger amount on a different chain via forged proofs, repeated for various assets and chains.
A full, technical post-mortem can be found here.
Attacker’s main ETH address: 0xe0Afadad1d93704761c8550F21A53DE3468Ba599
EthCrossChainManager contract: 0x14413419452aaf089762a0c5e95ed2a13bbc488c
Although the notional value of assets minted reached into the tens of billions, the attacker could only access around $4.4M of Poly’s liquidity, with further assets remaining in the attacker’s address.
A full list of assets stolen by chain is available here.
Blockchain bridges create bottlenecks where funds accumulate on either side, often secured by a flimsy threshold of just a few EOAs.
Luckily, far less was lost in this time.
Will Poly learn their lesson?
Or will they go for the hat trick?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
This is it rekt readers; the big one. $611M stolen from Poly Network, but has the hacker had a change of heart? They're returning the money bit by bit.
Infinite approvals… the ultimate leap of faith. Socket’s Bungee bridge lost $3.3M yesterday. Have you checked your approvals lately?
It wasn’t just fireworks blowing up on New Year’s Eve... Orbit Chain’s Ethereum bridge lost $81.5M. What will 2024 bring?