The Poly Network protocol was the target of serious exploitation this Tuesday morning (10). Hackers managed to steal $611 million from three project addresses on the Ethereum, Polygon and Binance Smart Chain network.
This is by far the largest amount ever stolen from a decentralized finance (DeFi) project. According to the Rekt list, the Poly Network’s loss was 11 times greater than the $59 million EasyFi hack suffered in April, considered to be the industry’s biggest offensive so far.
The Poly Network team confirmed the exploit on Twitter and released the hacker’s address on the three networks. According to data from each, $273 million was stolen in tokens on Ethereum, $253 million in tokens on Binance Smart Chain, and $85 million in USDC on the Polygon network.
The protocol team asked the brokers to block any transactions related to the addresses linked to the attack. The request was extended to miners of stolen cryptocurrencies such as USDT, DAI, UNI, SHIB, FEI, wBTC, wETH, RenBTC.
Tether, broadcaster of the world’s largest stablecoin, blacklisted the $33 million in USDT that was stolen on the Ethereum network, preventing the amount from being moved on the blockchain.
However, other decentralized networks cannot do this kind of freezing, as recalled by the CZ, founder of Binance: “Although no one controls the Binance Smart Chain (or ETH), we are coordinating with all of our security partners to help proactively, but there are no guarantees.”
Even though exchanges and miners prevent the funds from being traded, it doesn’t mean they have the power to get them back. It’s still unclear how many users were harmed by the attack.
Poly Network is an interoperability protocol designed to facilitate the exchange of tokens between different blockchains. The project came about through an alliance formed between teams from various platforms, such as Neo, Ontology and Switcheo.
The developers have yet to release details on how the attack took place. Analyst Igor Igamberdiev of The Block speculates that the cause of the hack was a cryptography issue, something out of the ordinary. He said it may have been similar to the $7.8 million attack the Anyswap protocol suffered when an attacker reversed the smart contract’s private key.
The O3 trading pool, which uses Poly Network services, had to suspend its operations. As posted on Twitter the profile @bigmagicdao, a user had posted a warning on Weibo in May about an issue in the O3 code that could put users’ funds at risk.