Cross-chain bridge protocol Poly Network was hacked over the weekend – the second time it has fallen victim to a multi-million dollar theft in two years.
According to analysis by 3z3 Labs Founder “Arhat,” the hacker minted billions of dollars of tokens by exploiting a vulnerability in the protocol’s smart contracts. The hacker was able to do this by creating a malicious parameter with a fake validator signature and block header, passing it into the cross chain manager contracts that executes transactions on-chain.
“This way, the hacker was able to mint billions of tokens on various blockchains that did not exist before and transfer them to their own wallet addresses. At one point, the hacker’s wallet held over $42 billion worth of tokens (on paper) immediately following the hack,” wrote Arhat.
— PeckShield Inc. (@peckshield) July 2, 2023
Blockchain analytics firm PeckShield confirmed that the hacker’s wallet address held this staggering figure. Included in the list of tokens the hacker issued out of thin air was 10 billion BUSD on Metis and 100 trillion SHIB on Heco.
However, a lack of liquidity for most of these tokens likely made it considerably hard to cash out successfully. So far, the hacker has only managed to swap around $5 million worth of crypto through decentralized exchanges like Uniswap and PancakeSwap.
In a Twitter post on Sunday, the PolyNetwork team informed users that it would be suspending its services and urged them to withdraw liquidity and unlock their LP tokens from the platform.
As a result of the attack, 57 assets have been affected on 10 blockchains. https://t.co/Q5MudJInr9
The major portion of the assets currently held by following addresses.
— Poly Network (@PolyNetwork2) July 2, 2023
“To minimize further risks, we have reached out to the majority of project teams and urged them to promptly withdraw liquidity from decentralized exchanges,” said the Poly Network team.
Poly Network was exploited previously in 2021, losing $600 million in the hack which was labelled one of the largest exploits in the history of DeFi. However, the hacker returned nearly all of the stolen funds shortly after and refused a $500,000 white hat bounty from the team.