600 million USD in evaporated cryptocurrencies - Historic heist in decentralized finance

By: Bharggavi Ssayee

600 million USD in evaporated cryptocurrencies - Historic heist in decentralized finance

August 11, 2021 1:58 PM

Decentralized hangover alarm clock - The Poly-Network cross-chain protocol announced a few hours ago that it had been the subject of an attack of unprecedented scale. In addition to the amount of damage - sadly historic and unprecedented for a DeFi protocol - it is the fact that three different blockchains were simultaneously impacted by a particularly sophisticated attack that commands attention.


A hack of unprecedented scale for decentralized finance?

Is Decentralized Finance now having its “Mt Gox Moment”? A concept inherited from the hacking of the eponymous platform in February 2014 which had seen the diversion of 750,000 BTC and led the entire market into a bloodbath, simultaneously triggering the formation of an unprecedented wave of regulation.


If the ecosystem had finally recovered from it, the entire industry which had experienced a terrible ice age, of course, not to mention the lasting lack of confidence for a sector in need of recognition and credibility. .


7 years later, is the situation so different? If the crypto market - globally in full euphoria over the past 10 days - seems to have superbly ignored the event, in any case $ 610 million was siphoned off a few hours ago from Poly-Network, a cross-protocol. blockchain, understand by this a gateway allowing the circulation of liquidity from one network to another. A very practical gateway, but constituting a real point of weakness, we can see it.


In detail, $ 273 million on Ethereum, $ 85 million in USD Coin (USDC) on the Polygon network and $ 253 million on the Binance Smart Chain that were stolen by one (or more) hackers. Note that renBTC, wrapped Bitcoin (WBTC) and wrapped Ether (WETH) were also affected by the hack which was described as having exploited “a vulnerability between contract calls”.


An event pitifully reported by the protocol itself as part of a message directly addressed to the hacker:

"Dear pirate (sic),

We are the Poly Network team. We want to establish communication with you and ask you to return the pirated assets. The amount of funds you've hacked makes it the highest hack in DeFi history. Law enforcement in all countries will consider this a major economic crime and you will be prosecuted. It is very unwise for you to make other transactions. The money you have stolen comes from tens of thousands of members of the crypto community, that is, the people.

You should talk to us to find a solution. "


Call for dialogue, invocation of possible scruples of the assailant, threat of "law enforcement" ... a rather offbeat speech which, at the time of writing, tends rather to provoke anger, even mockery on the part of the crypto community , in a context where the quality of “decentralization” is supposed to allow the economy of a trusted third party, and especially of the least external authority. A wishful thinking, as we can see once again.


A real fundamental subject which could not moreover easily fall more badly, even though the American Senate debates framing and regulation of the crypto sector and that the supposed “maturity” of the said sector is brandished by the defenders of a more flexible framework. and adapted to its innovations.


Did Poly Network escape a billion dollar hack?

This industry not functioning like any other, the supposed pirate responded in his own way to Poly-Network's bottle in the sea, by encoding a message in a transaction demonstrating that he had good control of the compromised funds:



If the most optimistic will see some reasons to remain confident, the individual - having just embezzled more than half a billion dollars thus - presenting himself despite everything as “not interested in money”, the others will say to themselves especially that to the sheer loss of their assets it will now be necessary to add the irony of the authors of the theft.


On the trail of the lost 600 million

You probably do not learn it today, except for the use of specialized mixing services and / or assets known for their intracability, the very nature of the blockchain makes the leakage or concealment of crypto assets particularly complex, especially on semi-decentralized networks such as Binance Smart Chain for example.


Moreover, crypto-assets like the USDT stablecoin are in fact under the control of their issuer, in this case Tether. As it turns out, Tether's CTO Paolo Ardoino quickly announced that his organization had frozen around $ 33 million in USDT from one of the compromised addresses. The CEO of OKEx, Jay Hao, but also Binance, through the voice of its CEO also announced the collaboration of the main exchanges.

“We are aware of the feat that has taken place today. While no one controls the BSC (or ETH), we coordinate with all of our security partners to provide proactive assistance. There is no guarantee. We will do whatever we can. "


Beyond his brave messages, however, the pirate already seems to encounter certain difficulties in circulating or recovering part of the pirated funds. In addition to the assets which are gradually frozen, as we have seen, it is a safe bet that the addresses used by the person concerned will quickly be blacklisted from all sides. Real logistical difficulties therefore, even if it should be noted that, according to the Chinese IT security specialists at Slowmist, the attack was not improvised:


"Put in perspective with the flow of funds and the information on the multiple digital fingerprints, it can be estimated that this is probably a planned attack, organized and prepared for a long time."


Even if the sums involved are large, their amount alone will not be sufficient to structurally compromise the market. On the other hand, it is difficult to imagine that regulators of all stripes will not rush at the opportunity to try to remove the toy of Decentralized Finance from hands considered too childish in view of the economic issues. As such, the sacrosanct argument of “protecting savers” could be further strengthened. Even though you all know that the vast majority of users who were victims of the Poly Network industrial accident had a basic idea of what they were risking.