Poly Network operates a decentralized crypto exchange: using open-source programmable smart contracts, Poly allows users to move funds between blockchains. This week, Poly was relieved of $600 million in crypto assets. Analyst SlowMist tracked down the exact vector by which the code was exploited. Here's a quick analysis.
Opportunity
Why does Poly Network have all that cash in the first place? The function of this DeFi project is to create financial contracts that link multiple blockchains. This is a market-making function: Poly creates trading opportunities for other users. It is similar to what stablecoin issuers do, except that where those connect on- to off-chain funding, Poly connects between different chains. These T accounts illustrate the between-chain function:
Paxos and Centre are stablecoin issuers, and their BUSD and USDC were among the assets taken in the heist.
Poly's project makes a market for cross-chain transactions. Say a user wants to use BUSD, on the Binance Smart Chain, to buy USDC, on the Circle blockchain. They can sell their BUSD to Poly Network using Poly's smart contracts to automatically transfer USDC to the user, on the other blockchain, when the BUSD transfer clears:
Like any dealer, Poly Network has to hold big balances so that it can execute these transactions smoothly. The bug allowed these big balances to be transferred to blockchain addresses of the hacker's choosing.
Means
Importantly, to my mind at least, there was no theft of cryptographic keys or phishing for passwords: the hacker must have read the source code and the white paper, found the bug, realized that it left a gaping hole in Poly's accounts, and wrote their own code to take advantage of it. Everything the hacker did was possible because Poly Network had built it into the smart contracts, without noticing. Poly was beaten on its own terms.
Motive
The hacker chose to leave a note, stylishly embedded in the ethereum blockchain itself (in "Input Data", switch to "UTF-8" encoding to make it human readable):
My translation: "I found this bug and I know its value. Poly's insiders cannot be trusted. I will transfer the funds to keep them safe."
Poly Network's response was to invoke the power of law enforcement:
The hacker got spooked, and has been frantically returning the funds.
My take
As heists go, this one has some nice features: a nine-figure haul, legal gray area, high level of skill required. But there are no heroes, as far as I can tell, only villains. If there's a moral, I think it's this: crypto is capitalism.
More to come.