Poly Network hackers potentially stole $610 million: Is Bitcoin still safe?

An Ethereum smart contract hack on the Ethereum bridge demonstrate how vulnerable smart contracts could be.
Written by Eileen Brown, Contributor

Yesterday the Poly Network, which specialises in cryptocurrency transfers on the Binance, Ethereum and Polygon blockchains, announced that it had been attacked and assets transferred to hackers.

It tweeted: Important Notice: We are sorry to announce that #PolyNetwork was attacked on @BinanceChain@ethereum and @0xPolygon

Assets had been transferred to hacker's following addresses: ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 and BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71.

It asked miners of affected blockchain and crypto exchanges such as Binance, HuobiGlobal, OKEx, Tether, BitGo, Uniswap and Circle Pay, amongst others, to blacklist tokens coming from these addresses.

Poly Network said that the hacker had "exploited a vulnerability between contract calls" -- where a contract can modify the keeper of a contract and execute a transaction. Estimates of funds held in wallets say that the loss was in excess of $600 million.

Twitter user @kelvinfichter explained how the hack actually worked.

Blockchain ecosystem security company Slow Mist tweeted that a total of over $610 million US was transferred to three addresses. It considers that the attack was likely to be "long-planned, organized and prepared".

The Poly Network later broadcast an open message to the hacker saying " The amount of money you hacked is the biggest on in the defi (decentralised finance) history".

It added, "Law enforcement in any country will regard this as a major economic crime, and you will be punished". Decentralised Finance (DeFi) aims to cut out third parties such as brokerages or exchanges.

Poly Network has asked for the return of the funds and tweeted the addresses that the funds are to be returned to. Paolo Ardoino tweeted that Tether had frozen $33 million as part of the hack.

Today Poly Network indicated that cash might be returning. It tweeted a screenshot of a transaction with a comment for the alleged hacker.

Update: you can view the entire conversation and refund update in this Google doc linked from @LX2025

This is not the first time that hackers have allegedly stolen Bitcoin. In February, legal proceedings began against Bitcoin developers after the theft of Bitcoin in 2020.

As legal processes ramp up across the world and lawyers aim to recover different lost or stolen assets, there seem to be fewer places for hackers to hide as new legislation is adopted.

The Bitcoin SV network, which recently tweeted that gigabyte blocks were mined on the public blockchain, was subjected to a series of block-reorganisation attempts in July and early August that attempted to double-spend BSV coins. The network recommended that node operators mark the chain as invalid to "lock the attacker's fraudulent chain out."

The EU proposal that addresses improved detection of money laundering and terrorism financing in the Union will require 'digital currency service providers to apply for licences, and anonymous digital currency asset accounts will be banned.'

The US' Infrastructure Bill proposal requires 'brokers' in the digital currency industry to collect information on and report customers' tax obligations to the government.

So is any version of Bitcoin safe? 

With potential cross-chain vulnerabilities occurring as relay chains and cross-chain bridges make it easier to move assets across blockchain, penetration testing and checking become ever more important.

Hacks like this in an Ethereum contract demonstrate how vulnerable smart contracts can be.

Miners running smaller nodes -- the very ethos of DeFi -- become more exposed to vulnerabilities like this, whereas miners running large mining nodes clusters have the resources and budget to carry out extensive testing and mitigation when potential hacks occur.

Will this be the largest hack ever, or will other vulnerabilities expose even larger amounts of money being moved to other blocks before being transferred out of blockchain currency exchanges?

Hopefully, this wake-up call will have developers making sure that their code is impenetrable -- whichever version of the contract is used.

Editorial standards