Explained: How hackers stole $ 613 million in crypto tokens from Poly Network

WASHINGTON, Aug.12 (Reuters) – Hackers on Tuesday succeeded in the biggest cryptocurrency heist ever, stealing $ 613 million in digital coins from the Poly Network token exchange, to return 260 million dollars in tokens less than 24 hours later, the company said. . Here’s what we know so far about the heist.

WHAT IS POLY NETWORK?

A lesser-known name in the crypto world, Poly Network is a decentralized finance (DeFi) platform that facilitates peer-to-peer transactions by allowing users to transfer or exchange tokens between different blockchains.

For example, a client could use Poly Network to transfer tokens such as bitcoin from the Ethereum blockchain to the Binance Smart Chain, perhaps seeking access to a specific application.

The Poly Network website did not immediately indicate where the platform is based or who is running it. According to crypto-specialist site Coindesk, Poly Network was started by the founders of the Chinese blockchain project Neo.

HOW DID THE HACKERS STOLEN THE TOKENS?

Poly Network operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tokens are exchanged between blockchains using a smart contract that contains instructions on when to release assets to counterparties.

One of the smart contracts Poly Network uses to transfer tokens between blockchains maintains large amounts of cash to allow users to efficiently exchange tokens, according to crypto intelligence firm CipherTrace.

Poly Network tweeted on Tuesday that a preliminary investigation revealed that hackers exploited a vulnerability in this smart contract.

According to a transaction analysis tweeted by Kelvin Fichter, an Ethereum programmer, the hackers appeared to bypass contract instructions for each of the three blockchains and divert funds to three wallet addresses, digital locations to store tokens. These were then tracked and published by Poly Network.

Attackers have stolen funds from more than 12 different cryptocurrencies, including ether and one type of bitcoin, according to blockchain forensics firm Chainalysis.

A person claiming to have carried out the hack said they spotted a “bug”, without specifying it, and that they wanted to “expose the vulnerability” before others could exploit it, according to digital messages published on the Ethereum network published by Chainalysis. Reuters could not verify the authenticity of the messages.

WHERE IS THE MONEY GOING?

As of Wednesday evening, the hackers had returned $ 260 million in assets, Poly Network said, but $ 353 million was unpaid. It is not known where the remaining assets went.

Coindesk reported on Tuesday that the hackers attempted to transfer assets, including tether tokens from one of the three wallets to the Curve.fi cash pool, but that transfer was rejected. About $ 100 million was taken out of another of the wallets and deposited into the Ellipsis Finance cash pool, Coindesk also reported.

Curve.fi. and Ellipsis Finance could not immediately be reached for comment.

WHO IS THE HACKER?

The hacker (s) have not yet been identified.

Cryptocurrency security firm SlowMist said on its website that it identified the attacker’s mailbox, Internet Protocol address, and device fingerprints, but the company did not still named nobody. SlowMist said the heist was “likely a long-standing planned, organized and prepared attack.”

Despite the alleged hacker posing as a so-called “white hat,” an ethical hacker who aimed to identify Poly Network’s vulnerability and had “always” planned to return the money, according to messages posted by Chainalysis, some experts in cryptography are skeptical.

Gurvais Grigg, chief technology officer at Chainalysis and a former FBI veteran, said hackers were unlikely to steal such a large sum. He said they probably returned some of the funds because it had proven too difficult to convert them to cash.

“It’s hard to know the motivation … let’s see if they pay back the full amount,” he added.

Reporting by Michelle Price in Washington and Gertrude Chavez-Dreyfuss in New York; edited by Richard Pullin

Our Standards: Thomson Reuters Trust Principles.