DeFi Bridge Platform Poly Network Faces Major Hack, Urges Users to Withdraw Funds
Over the last weekend on Sunday, July 2, cross-chain bridge platform Poly Network faced a major hack with the attackers being able to issue billions of tokens out of thin air for profit.
As per the details available, the hackers managed to manipulate a smart contract function on the cross-chain bridge protocol, while adding that they would be temporarily suspending the services. In the latest update, the team disclosed that the exploit impacted a total of 57 different cryptocurrencies across 10 blockchains, which include Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKX, and Metis.
The exploit occurred due to a vulnerability in a smart contract, enabling the hacker to create a harmful parameter containing a forged validator signature and block header. The smart contract accepted this action, allowing the hacker to bypass the verification process. Consequently, they could generate tokens from Poly Network's Ethereum pool and transfer them to their own address on different chains like Metis, BNB Chain, and Polygon.
The hacker's wallet once contained approximately $42 billion worth of tokens, but they could only convert and steal a small portion of them. As a result, the hacker created billions of tokens on different blockchains that previously didn't exist and transferred them to their own wallet addresses.
Poly Network acknowledged the development and suspended the services soon after. Besides, they also advised token holders and project teams to withdraw liquidity and unlock their liquidity token providers. “We have already initiated communication with centralized exchanges and law enforcement agencies and sought their assistance,” the team stated in a July 3 update.
The recent security breach on Poly Network, referred to as the "34 billion Poly Network hack" by Dedaub, a blockchain security solutions provider, was attributed to weaknesses in the protocol's multisignature system. Dedaub highlighted that the arrangement was a simple "3 of 4" multisignature setup for two years, and the compromised private keys led to the exploit.
According to Dedaub, the attack was not complex, and there were no exploits related to logic bugs. However, the response from Poly Network took approximately seven hours, resulting in a loss of $5.5 million in stolen cryptocurrency. Fortunately, the limited liquidity of many tokens prevented further losses from occurring.
Soon after Binance CEO Changpeng Zhao clarified that this hack hasn’t affected Binance users. “We do not support deposits from this network,” he added.
This is not the first time that Poly Network is the victim of a DeFi hack. Back in August 2021, the network faced a historic attack and one of the largest exploits in decentralized finance (DeFi). Back then, the network had lost $600 million in the attack losing funds across Ethereum, Binance Smart Chain, and Polygon.