Disclaimer: I'm showing an alternative perspective considering an inside cyber attack. I will support my hypothesis with several fact-based arguments while trying to stay objective. The Poly Network cyberattack, recorded as the largest hack of all time in the cryptocurrency market, saw worth of Bitcoin. $611 million The network is a cross-chain bridge connecting Ethereum, Binance Smart Chain, and Polygon Network. The attack produced a host of catchy headlines and more than one version of what happened, some of which contradict each other. But there are still more questions than clear answers. A PR stunt or a cyber attack? The Poly Network hack happened through a vulnerability exploit in the interchain bridges built by Poly Network. This has been provided in the by cybersecurity firm SlowMist. report The BlockSec cybersecurity firm has a version of the hack in which the hacker got hold of a key that enabled him to sign cross-chain transactions using the Poly Network bridges or found a bug in Poly Network’s smart contract that allowed him to generate his own transactions. offered After the hack, the cybersecurity firm SlowMist published a where it revealed its understanding of the vulnerability in Poly Network that was exploited by the hacker and how he did it. report The firm states that the hacker was able to substitute the keeper of the ‘ through the contract by calling the function of the contract’. EthCrossChainData EthCrossChainManager putCurEpochConPubKeyBytes EthCrossChainData And the contract can execute user-specified cross-chain transactions ‘by calling the function internally. EthCrossChainManager executeCrossChainTx So, the hacker changed the keeper of the contract and gained the ability to sign user-specified cross-chain transactions. EthCrossChainData The BlockSec cybersecurity firm offered a different of the hack, which sees the hacker getting hold of a key to the smart contract that enabled him to sign cross-chain transactions by using the valid PolyNetwork transaction-signing keys. version The company made that statement because the attacker provided a valid message to the function of the and the modifier in the smart contract was not bypassed. verifyHeaderAndExecuteTx EthCrossChainManager onlyManagerContract LockProxy Both these vulnerabilities would be very hard to pin down, and getting the signing keys could not be done without them being either leaked or given to the hacker. This latter version provided by BlockSec makes the version of an inside attack all the more plausible. Here we should note that the hacker returned all of the stolen funds and made a statement that his goal was not to steal the funds but to warn the project of the existing threat. The synergy of the biggest hack and all of the stolen funds being disclaimed by the hacker caused a massive PR effect for Poly Network, with its name doing rounds across all of the blockchain media and many mainstream outlets, might raise more eyebrows. It has also been said in the SlowMist report that the hacker might have decided to return the funds due to the credentials he used on the China-based cryptocurrency exchange Hoo.com being linked with his real identity. The hacker used the exchange to to pay for the gas in the attack. withdraw 0.47 ETH But in response to that, the hacker responded that he had used multiple anonymization instruments, and his identity could not be revealed. This makes the argument of his fear of prosecution as the motive for returning the funds less trustworthy and gives more reason to believe that the company’s management might have been involved. How to fight cyber threats in DeFi? The biggest problem with the security of decentralized protocols in DeFi is their architecture of smart contracts. Many protocols use more than one smart contract, and when a single smart contract can have a bug, several pose more cyber threats to a protocol. In order to build a safe, decentralized protocol, close attention should be paid to the security of the entire system. In order to minimize these risks, the modular approach can be the go-to thing. It means that the whole system is built of blocks that can be replaced on their own without compromising the system’s operation. This approach works well in data-processing centers where blade servers and routers are installed. However, when it comes to decentralized software, it is a totally different thing, where the adaption of the modular approach can present a new challenge. However, having the ability to tweak certain things in a decentralized protocol without affecting others can be a good solution to fixing bugs fast and efficiently. It is also important for the developers to be well familiar with the Solidity programming language that remains the only one for the Ethereum Virtual Machine so far. Lapses in the knowledge of Solidity can also be the reason for bugs in Ethereum-based smart contracts. A technical audit can eliminate most of the threats and vulnerabilities in smart contracts, and more attention should be given to the reliability of the code. In this regard, double-checking should be one of the basic things as employing the services of more than one auditor will increase the chances of making your DeFi platform hack-proof. Anyway, technical audits should be adopted as a must for all DeFi projects as only a systemic approach to security can make DeFi safe and allow the industry to develop and grow. What have we learned from the Poly Network hack? The evidence shows that there is a strong chance that the signing keys have been leaked or obtained by the attacker, with the company getting some positive PR as the funds have been returned to the users. But currently, it is impossible to make a definite judgment as inside evidence would be needed to find out the truth. If Poly Network management was involved behind the scenes, it would be gullible to expect them to come clean as they would have to then deal with unpleasant consequences. But one lesson learned from this incident is that DeFi investors must do due diligence when selecting the project to allocate their capital in. And the project teams should be prioritizing security for the industry to become a safer place.

Polygon

Chain

Binance

Can Social Networks Become Decentralised?

How to Keep Your Seed Phrase Safe?

HashEx

Nominated for 2022 - HackerNoon Contributor of the Year - Hacking

Nominated for 2022 - HackerNoon Contributor of the Year - Data Security

Nominated for 2022 - HackerNoon Contributor of the Year - Information Security

Too Long; Didn't Read

Download free Tech Leaders Productivity Report!

Dissecting Poly Network Hack: What Really Happened

Dissecting Poly Network Hack: What Really Happened

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

AI: An Agent For Dark Web Monitoring

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

AI: An Agent For Dark Web Monitoring

Windows Sticky Keys Exploit: The War Veteran That Never Dies

06/02/2018: Biggest Stories in the Cryptosphere

0-Days are on the Rise and that Means a Lot More Work for SOC Teams

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps