Originally published in our telegram channel.
Who did the hack target?
This is a big question to ask. I've seen a couple of comments like "Not your keys, not your Crypto" and likening it to BitConnect or Mt. Gox. It's similar but with a big caveat, these types of attacks don't typically target users crypto in their wallet. Custodial exchange and centralized lending will often target users crypto just sitting in a spot wallet.
When you supply liquidity to a protocol on DeFi it is not your crypto. You're keys should still be able to authorize the withdrawal of that crypto or your wallet will have a receipt of supplying like cETH or LP tokens. You are still ultimately the custodian of your own crypto in DeFi
If you've been interacting with DeFi protocols, it is highly unlikely you will wake up to a drained Metamask after one of these hacks. You are too small of a fish for those types of attacks to target. You are more likely to have to fall for a phishing scam if that is the case.
Typically hacks like this target liquidity pools. Liquidity pools often have immense value in them. You may lose crypto you have deposited in a hacked pool or farm, but often times protocols come up with solutions to reimburse any lost crypto like PancakeBunny earlier this year that suffered a flash loan attack.
Poly Network holds large liquidity pools to facilitate cross chain transfers. Holding a lot of exit liquidity on each chain. The money that was hacked from this event is likely to have been stolen from those who have large amounts of liquidity staked. This is not likely to be you farming CAKE on PCS!
Cross Chain protocols are incredibly hard to code, and they should be treated with caution when supplying liquidity to them.
How did the hack take place?
I want to keep this part simple for those not technically minded but there are currently two working theories as to how the hack took place. They both involve the private keys for the ownership of the liquidity pools.
Theory 1: Leaked Key
Poly Network has a big security problem from the outset. They had a single sig key to the pools which means that only one signer would need to authorise any changes to the liquidity pool, including withdrawal of funds. This is like leaving a vault of gold with only one key. If you wanted to access this, there wouldn't be any other parties involved.
Current theories suggest that this key was leaked or hacked via another method off-chain. This is the story from early official post mortem from Poly Network
EDIT: This theory has been disproved by Poly Network, but I wrote it so I thought I'd leave it here as an example of an early working theory.
Theory 2: Hacked Contracts
There are two important contracts. A "manager" contract and a "data" contract. The data contract specifies the address which can submit transactions which can withdraw funds from the pool. If someone was to replace this address in the contract to theirs, they could withdraw as much from the pools as possible.
In solidity there is a concept called ownership. A smart contract can set certain functions to only execute if the owner executed them. Typically, when constructed the owner is the wallet who deployed the contract, which is typically the developer. However, in this case the owner of the "Data" contract was the "Manager" contract.
So now, if you were to call a function which could replace the address in the data contract with theirs from the manager, it would be allowed.
But here's another flaw in the design of Poly Network. The "manager" contract exists to run transactions on different chains. It has a function called "verifyHeaderAndExecuteTx" which verifies that a transaction exists on one chain, and if it does, runs it on another. This is needed for cross chain interoperability.
But wait... we've now got a way to run arbitrary functions from the "manager". If the attacker devises a specific input they can now freely set the most important address, the one which says who can withdraw from the pools, to theirs.
This theory was confirmed by Poly Network.
After losing upwards of $600M in a smart contract flaw that could have been prevented under audits and thorough examination, Poly Network was able to recover the funds taken from the hacker luckily. Notice we don't say stolen here. This is a common misconception when it comes to decentralization and should be taken fully for an entity operating within DeFi.
The hacker found a security breach and this should constitute nothing more than a failure on Poly Network's part in securing hundreds of millions of dollars of users funds. Though the hacker didn't seem sharp enough to hide their trail by moving the funds to centralized exchanges such as FTX which require KYC, it seems to be a great lesson to be learned for those actively engaging on these types of platforms.
Chances are if you're over leveraged on a single platform that is controlled by anons/and or "trust worthy" people, you've already messed up. By encroaching this, you're going against the very ethos of decentralization and blockchain.
So, the lesson we can learn here is to never overleverage yourself in what's already an area propped by paper clips. DeFi protocols, especially new ones are extremely risk advert. Think carefully if it's money you cannot do without.
Stay in the Conversation
The Crypto Vigilante Network comprises of many like-minded individuals sharing the same goal of exposing nefarious actors in an ever-evolving and fast-paced space known as crypto.
Our goal is to provide you with all the latest updates and news across the blockchain space involving nefarious actors and those bent on using the public and their own communities for a financial good.
You can submit a tip or reach out to us from any of the social mediums below!
Alternatively, you can email us at the following email address - email@example.com or message on telegram @RealCryptoV.