The PolyNetwork was launched on 10. August 2021 victim of the grossest theft to date in the history of cryptocurrencies. Unknown individuals stole coins and tokens from the Ethereum (ETH), Binance Smart Chain (BSC) and Polygon (MATIC, not related to PolyNetwork) blockchains worth $611 million at the time of the attack.
PolyNetwork is an interoperability platform – a bridge blockchain to exchange cryptocurrencies among each other without centralized exchanges. The theft was announced by the development team via Twitter. The security company SlowMist has discovered that unknown persons have apparently exploited a security hole within the PolyNetwork.
Lack of security
According to the report, it was possible to use a concatenation of certain functions in the smart contracts as a "Huter" (keeper) of the same and thus transfer the coins or tokens of the users to any wallet.
The attacking party’s addresses are:
- ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
- BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71
- Polygon: 0x5dc3603C9D42Ff184153a8a9094a73d461663214
Some crypto-bors have blocked the addresses to make sales more difficult. In case you’re wondering about all the tiny incoming transactions: Many hope to catch the attention of strangers this way and get money transferred in the form of cryptocurrencies.
The development team behind the PolyNetwork set up three multi-sig wallets and called on the unknown parties to transfer back the coins and tokens. They did in fact partially comply with the request after SlowMist said it traced the transaction chains to the point where it could use crypto-borse to fall back on the attackers’ identities.
So far, cryptocurrencies worth just under $5 million have been transferred to the aforementioned wallets:
- ETH: 0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f
- BSC: 0xEEBb0c4a5017bEd8079B88F35528eF2c722b31fc
- Polygon: 0xA4b291Ed1220310d3120f515B5B7AccaecD66F17
The messages in the transactions of the unknown persons, some of them sent to their own addresses, suggest that they are either trolls, have got the wind up or wanted to draw attention to the security leak in a dubious way.
Potential worth billions
In a first transaction, the hack was successful: "It would have been a billion hack if i had moved remaining shitcoins! Did I just save the project? Not so interested in money, now considering returning some tokens or just leaving them here."
On the PolyNetwork blockchain, stakeholders created the token "The hacker is ready to surrender". This was followed by a transaction with the text "ready to return the fund!", followed in turn by "Failed to contact the Poly. I need a secured multisig wallet from you." At the moment, the transfers come in batches.