Poly Network Revisits Nightmare: Hackers Unleashes Billions in Malicious Tokens

On Sunday’s crypto hack, attackers wielded their skills to issue nearly $4 billion in malicious tokens within the cross-chain protocol, PolyNetwork.

They did so by exploiting a smart contract function residing within PolyNetwork's bridge tool. The bridge facilitates seamless token swaps (it affected over 57 assets) across several blockchain platforms; it accomplishes this feat by locking value on one network and deftly releasing it onto another.

What Are Bridges?
Within the landscape of Web 3's ecosystem, bridges emerge as a pivotal force, enabling seamless asset transfers between diverse networks. The concept is ingeniously simple: tokens locked up on one chain are mirrored by an equivalent issuance on another. This interconnectivity undoubtedly opens new horizons for decentralised finance. However, bridges have borne witness to numerous lucrative heists, a testament to their allure to cyber adversaries.

‘Worthless’ Billions in BUSD, BNB, and SHIB Issued

Among their elusive creations were formidable quantities of Binance USD (BUSD), Binance Coin (BNB), and Shiba Inu (SHIB), each of which now echoes through the digital landscape.

Founder of 3z3labs, Arhat, tweeted that, “The hack happened because of a smart contract vulnerability in PolyNetwork’s cross-chain bridge tool” and explained with images, how the hack might have occurred.

Their audacious exploits knew no bounds. Specifically, on the Metis blockchain, they conjured a staggering 24 billion BUSD and BNB, while on the Heco blockchain, they unleashed an awe-inspiring 999 trillion SHIB tokens. They also extended their reach to other networks like Avalanche and Polygon, generating millions more of enigmatic tokens.

Colin Wu, or otherwise known as Wu Blockchain on Twitter, posted about the hack as well.

The aftermath of their grand heist was nothing short of astounding, with their digital wallet brimming with over $42 billion worth of tokens, at least on paper, according to DeBank’s report. This eye-popping sum was further validated by none other than PeckShield, the renowned blockchain data and security firm.

All’s Well That Ends Well?
Despite the attackers’ vast haul of tokens, they encountered obstacles in transforming their ill-gotten riches into tangible wealth. Insights from Metis developers shed light on a crucial revelation ─ the lack of sell liquidity for BNB and BUSD tokens. Such a predicament casts doubt on the attackers' ability to easily convert their virtual fortune into real-world value.

Yet, their challenges did not end there. A masterstroke by the developers added another layer of complexity to the situation. The illicitly minted METIS tokens, a part of the hackers' cryptic treasure, found themselves locked away on the PolyNetwork bridge. This strategic move served as an effective deterrent, rendering the attackers' potential monetisation endeavours considerably more arduous.

Celebrate the ‘Small’ Wins
In spite of the obstacles they faced, the attackers displayed a remarkable ability to find liquidity for certain illicitly minted tokens. According to reports from the analytics firm Lookonchain, a whopping 94 billion SHIB tokens were exchanged for 360 ether (ETH), while 495 million COOK tokens found their way to 16 ether. Additionally, 15 million RFuel tokens were traded for 27 ether. These transactions shed light on the attackers' relentless pursuit of realising value from their virtual spoils. The intrigue deepens as Lookonchain's watchful eye catches yet another fascinating detail ─ the movement of assets and ETH to new wallets.

Arhat acknowledged that, “Despite the magnitude of this hack, the hacker was only able to convert a small portion of these tokens…Everything else had no liquidity and were essentially worthless.” He estimated the attackers walked away with $400,000 worth of crypto.

Thereafter, insights from the blockchain security firm, SlowMist, reveal a more comprehensive picture of the attacker's total gains. Astonishingly, the hackers have already managed to "cash in" over $4 million worth of digital assets stemming from their audacious hack. The breakdown of this sum includes a striking haul of over 1,500 ETH, valued at $3 million, alongside a whopping 93 billion SHIB tokens, amounting to $700,000.

More inputs from PeckShield Alert on Twitter elaborated that the “exploiter has transferred more than $5M worth of cryptos out on #Ethereum, #BNBChain, and #Polygon.”

Users Holding Affected Assets Advised to Expedite Process of Withdrawing Liquidity and Unlocking Their LP Tokens
As of now, services are still temporarily suspended according to PolyNetwork.

Once Bitten, Twice Shy…Not?
Reminiscent of a headline-grabbing attack in 2021, which marked the largest exploit in decentralied finance history at that time, PolyNetwork’s past still looms large in the digital landscape. A simple Google search for Poly Network brings forth reminders of that infamous date, a testament to the scale of the earlier breach.

During the 2021 attack, a startling $600 million was lost, as funds on Ethereum, Binance Smart Chain, and Polygon were siphoned away. The aftermath witnessed Poly Network's commendable move to repay users who had suffered losses, thanks to the return of $342 million worth of stolen crypto by the hacker. Perplexingly, the attackers communicated that the heist was merely "for fun," and that returning the stolen crypto was "always the plan." Almost all of the pilfered funds were eventually returned, offering a glimmer of hope amidst the chaos.

Fast forward to the present, the recent hack of Poly Network, while not reaching the same monetary scale as its predecessor, has undoubtedly raised alarms about the platform's ongoing security measures. It beckons us to question whether the stolen crypto will find its way back to the platform and its users this time.

A Better First-Half than the Last
Blockchain security firm Beosin unravels the numbers: the crypto market has endured losses surpassing half a trillion dollars in the first half of 2023, arising from an array of nefarious activities. The newly released security data paints a bleak picture for the Web3 space, with a staggering $655.61 million worth of losses attributed to hacking attacks, phishing scams, and rug pulls in the initial six months of 2023.

The statistics lay bare the severity of the situation, with 108 hacking attacks alone contributing to a harrowing $471.43 million in lost funds. To compound matters, losses from 110 rug pulls and phishing scams amount to $75.87 million and $108 million, respectively, painting a multifaceted portrait of financial vulnerability within the crypto landscape.

The multitude of scams do seem disturbing, from NFT scams to AI-driven scams, crypto hacks, airdrop token scams, and more.

Nonetheless, contrary to the numbers, losses from hacking attacks during the first half of this year appear to be notably lower than those experienced in the corresponding periods of 2022.

Beosin revealed that a substantial 45.5% of the stolen assets, amounting to approximately $215 million, have already been successfully recovered. This stands in stark contrast to the previous year, where a mere 8% of the pilfered funds were reclaimed.

Is Poly Network’s Future Security in Limbo?
Though the recent hack of Poly Network may not have reached the scale of the previous incident, it nevertheless casts a shadow of uncertainty over the platform's future security. The implications of this breach beg us to contemplate the measures taken to bolster the platform's defenses and safeguard the interests of its users.

Will Poly Network rise to the challenge and fortify its security measures to prevent future breaches? Moreover, the burning question remains: Is there a possibility that the stolen crypto assets will find their way back to the platform and its rightful users this time?