An unidentified hacker has stolen more than $600 million worth of cryptocurrency from Poly Network, a decentralized finance (DeFi) platform based in China.
According to its website, Poly Network provides users the ability to trade cryptocurrency assets across different blockchains. Under the hood, the Poly Network executes these transactions using scripts called “contracts.”
On Thursday, August 10, an unidentified individual began moving funds from the Poly Network platform into cryptocurrency addresses under their control.
How the attack took place
“The hacker exploited a vulnerability, which is the _executeCrossChainTx function between contract calls,” a Poly Network spokesperson told The Record in an email today.
“The attacker use[d] this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract,” the company added, an attack that effectively allowed the intruder to declare themselves as the owner of any funds processed through the platform.
Using repeated calls to the attacked contract, the hacker was able to exfiltrate funds from the Poly Network and then transfer them to wallets under their control, identified by Poly admins as follows:
At the time of the hack, the Poly Network said the stolen funds were worth more than $600 million, making it the largest hack pulled off against a cryptocurrency trading platform to date.
Poly Network begs hacker to return stolen funds
Once the attack was discovered, Poly Network disclosed the incident to the public and asked for the help of the cryptocurrency community, begging mining platforms and exchanges to track the hacker’s movements and freeze their accounts.
In the meantime, the Poly Network has published an open letter on its Twitter feed, asking the hacker to return the funds before the incident escalates.
While hackers have returned stolen funds to cryptocurrency platforms in the past to avoid prosecution, the company’s letter was universally ridiculed for its naivety, becoming a trending topic on Twitter late last night.
At the time of writing, the hacker has not returned any of the stolen funds.
Instead, the hacker has been using the comment field in Ethereum transactions to post public messages or engage in conversations with various individuals, revealing in one of these that the breach could have been much larger if they would have bothered to move the Poly Network’s less popular altcoins.
The Poly Network told The Record they plan to update their users about the hack in the coming days via their Twitter account. It also confirmed the validity of an independent review of the hack posted by cryptocurrency security firm SlowMist.
Another Poly Network hack analysis is also available in the Twitter thread below:
The post Hacker steals $600 million from Poly Network in biggest ever cryptocurrency hack appeared first on The Record by Recorded Future.
Source: Read More (The Record by Recorded Future)