DeFi Poly Network Hacked - $600 million in crypto

[WeToddDid2]

However, Poly politely asked the hackers to return all of the assets.

https://www.nasdaq.com/articles/cro...dreds-of-millions-potentially-lost-2021-08-10

Cross-Chain DeFi Site Poly Network Hacked; Hundreds of Millions Potentially Lost

Cross-chain decentralized finance (DeFi) platform Poly Network was attacked on Tuesday, with the alleged hacker draining roughly $600 million in crypto.

Poly Network, a protocol launched by the founder of Chinese blockchain project Neo, operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tuesday’s attack struck each chain consecutively with the Poly team identifying three addresses where stolen assets were transferred.

Combined, the three addresses hold more than $600 million in different cryptocurrencies, including USDC, wrapped bitcoin (WBTC), wrapped ether (WETH) and shiba inu (SHIB), blockchain scanning platforms show.

Related: DeFi Has Accounted for Over 75% of Crypto Hacks in 2021

“We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses,” the Poly team tweeted.

The $600 million figure would place the Poly Network hack among the largest in crypto history.

Tether froze approximately $33 million in relation to the hack, Tether CTO Paul Adroino tweeted.

About one hour after Poly announced the hack on Twitter, the hacker tried to move assets including USDT through the Ethereum address, into liquidity pool Curve.fi. The transactions was rejected.

 

[ChaelBu]

Does this affet Polygon ( Matic ) ? Thanks

 

[Baron]

Does this affet Polygon ( Matic ) ? Thanks

No. The Poly Network and Polygon Matic are two different things completely.

In fact, Polygon Matic is on fire today because the gas fees are going through the roof on Ethereum again, so they are in good shape.

 

[radex78]

Why is crypto vulnerable to be hacked?
Behind good things, there are bad things

 

[Baron]

Why is crypto vulnerable to be hacked?

Mainly because it's emerging technology. It's actually the hacks that ultimately secure the overall network over time.

It's sort of like building a brand-new type of boat that seems awesome at first but eventually shows leaks in certain places over time. If it weren't for the leaks, you'd never know the weaknesses in the boat's structure. But because the leaks show up, you can re-engineer the next boat to not have that same leak problem.

 

[ph1l]

Why is crypto vulnerable to be hacked?
Behind good things, there are bad things

https://www.forbes.com/sites/forbes...xchanges-are-hacked-so-often/?sh=15bfe7503421

Sep 17, 2018,07:15am EDT
Why Are Crypto Exchanges Hacked So Often?

Ivan Novikov
Forbes Councils Member
Forbes Technology Council
COUNCIL POST| Membership (fee-based)
Innovation
POST WRITTEN BY
Ivan Novikov
CEO of Wallarm, a YCombinator-backed AI security startup.

• steal $63 million in cryptocurrency from NiceHash.
  
  
  • January 2018: Hackers steal more than $500 million in cryptocurrency from Coincheck.
  
  • February 2018: Hackers steal approximately $195 million in cryptocurrency from BitGrail.
  
  PROMOTED
  
  • June 2018: Hackers steal roughly $40 million in cryptocurrency from Coinrail.
  
  • June 2018: Hackers steal $30 million in cryptocurrency from Bithumb.
  
  And that's not all -- there were other hacks that happened as well. In this article, I’ll explain why so many exchanges are being hacked.
  
  As I explained in my lastForbes article, crypto security is hierarchical: Protocol, exchange and personal wallet security are the three layers. This hierarchy means that if you have an issue at the coin protocol layer, you will be compromised, regardless of how secure your second and third layers are. At the same time, the complexity of the protocol level means it’s harder to find an issue like a DAO hack than finding a vulnerability at the lower layers like exchanges and wallets. That is why hackers target exchanges -- it’s the most efficient way for them to steal your money. Protocols are hard to hack, and wallets are too distributed. Exchanges are a good fit for them.
  
  
  Now that we've described why exchanges are the most attractive targets for hackers in the crypto world, it’s a good time to understand why they're hackable.
  
  The reason is simple. Any crypto exchange is a centralized single point of failure, vulnerable by design. As a centralized web application with functions to execute transactions and one or a few big crypto wallets inside, exchanges are prone to the same security problems as all other websites. All the usual application aspects such as frontend JS, mobile app, terminals and other clients on the client side and APIs and data repositories on the back end need to be protected. In my experience, the most critical security problems for crypto exchanges are split into the following buckets:
  
  The Client Side
  
  • XSS: Cross Site Scripting (aka XSS), which is the most popular client-side vulnerability, allows attackers to use your browsers as their own. The reason for this is an ability to inject malicious JS/HTML code to the web page generated by vulnerable servers. There is a myth that two-factor authentication (2FA), such as Google Authenticator or SMS code, saves from such vulnerabilities, but in fact, it does not. A malicious Javascript that gets to the page due to this vulnerability simply substitutes the withdrawal wallet address right before you withdraw funds. You do not see anything and can not prevent it in any way.
  
  • Open redirects that help hackers perform phishing-like attacks: This is an ability to redirect you in an arbitrary way from the link to your crypto exchange. It sometimes looks like it wouldn't be an issue, but technically, it allows attackers to do two things: 1) list exchange in search engines like Google as a malicious website, and 2) increase the success rate of malware installation attack because of the trust to the exchange domain. The typical attack looks like a link to the original domain of your exchange (not a phishing one, a real one) that downloads some sort of “new version of trading desktop client,” which technically is a malicious software that steals your wallet.
  
  • SSL issues related to mobile apps (like certificate pinning): This is a minor issue. However, it’s become critical when users travel to countries like China, Iran or Russia where governments could intercept internet connections by their own certificates.
  
  Common CSRF attacks are not in the list because two-factor authentication is widely implemented in the exchanges.
  
  The Server Side
  
  • NoSQL/key-value injections: These injections are mainly in the popular storage modules like Redis, Memcached and MongoDB. Similar to the older, more well-known SQL attacks that were mainly fixed at the frameworks and ORM level, there are similar attacks targeting new technologies like NoSQL and in-memory databases. These are newer and are rarely discovered by developers and frameworks.
  
  • Logic issues, mainly race conditions: These issues are critical and hard to discover by automation tools like source code analyzers. An example of this is simultaneously processing more than one withdrawal transaction, which could result in a negative account balance.
  
  • Authentication issues (e.g., bypasses): Sometimes passwords and even 2FA don't work just because of authentication bypass issues. These are logical or input validation problems, allowing access to the user session without proper credentials being checked.
  
  There are also other types of security breaches in which hackers steal GAS, not coins themselves. In this instance, it’s a proof-of-stake (PoS) cryptocurrency in which all the coins in your wallet generates GAS, an alternative currency used to sign other transactions. Again, the GAS itself is an alternative coin in any PoS-based cryptocurrency, and a lot of them belong to crypto exchanges because they hold users PoS coins like ETH and NEO. That’s why if somebody steals GAS, you will never know about this as a client of crypto exchange.
  
  Who is the victim in the case of GAS stealing? Technically, it would be an exchange, but at the same time, would you know if your transaction fees were higher because of the GAS? GAS is one of the good reasons why it’s so important to understand security basics while dealing with crypto.
  
  Let’s summarize all the things explained above:
  
  All the crypto exchanges have weaknesses in the architecture because they were never designed in cryptocurrency protocols. Any crypto exchange is an ordinary centralized web application with all the same issues that plague any other web application. Web application vulnerabilities resulted in many crypto exchanges being compromised recently. Some exchanges never announced hacks because attackers stole only GAS, not coins themselves and users never knew about these incidents.

 

[maxinger]

and the bitcoin price hardly went down.

and the bitcoin investors are immune to what the hackers did.

and the bitcoin investors are unfazed.


This hacking is probably too trivial to scare bitcoin investors.


______________________

 

[johnarb]

This hacking is probably too trivial

I never heard of Poly Network before yesterday, I guess it's used for bridging between blockchains (ie. Eth, Bsc, etc)

Boxmining lost a "significant portion of his crypto assets" was a big surprise to me. He's been around for a long time and I would have thought he knew "nacho keys, nacho coins"

I have 6 figures $ worth of crypto on a defi platform, so I'm not saying it's not worth the risk given a certain amount of yield, but if I lose all that crypto, I'll be ok, it's not a significant portion of my crypto portfolio

The hacker has returned $280M worth of crypto already and he/she/they may return most of the amount, minus the ones that were already given away


I hope Boxmining gets restored most of his cryptos. Michael is a good guy, tries to educate others through his YouTube channel and website and Twitter

https://twitter.com/x/status/1425135334107475973

 

[ChaelBu]

No. The Poly Network and Polygon Matic are two different things completely.

In fact, Polygon Matic is on fire today because the gas fees are going through the roof on Ethereum again, so they are in good shape.

Yesss as i have some investements on matic In addition, I saw on the news that the funds had been returned.

 

[mlawson71]

The whole story is wild. They stole 600+ US dollars, then returned half, then claimed they "did it for fun", and that "they're not very interested in money" ...while keeping 300 million.