Poly Network hacker not interested in money, but to highlight the security loopholes
The US$613 million heist of digital coins from decentralised finance platform Poly Network was just to highlight the security failings of the platform, said the hacker.
There is no interest in the money and plan was to return the digital coins. On Wednesday, the hacker returned US$260 million in digital tokens including Ether and bitcoins.
The identity of the hacker — or hackers — has not been established although blockchain forensic specialists have traced the hacker’s digital footprints. In a long Q&A like a self-interview, the hacker claimed to have stayed up all night looking for a vulnerability to exploit and was worried that Poly Network would patch the security flaw without telling anyone. Hence the heist to make a point.
On its website, Poly Network states that it wants to allow a convenient way for users to swap cryptocurrencies between multiple blockchains. The website does not say where the company is based. According to cryptocurrency media platform Coindesk, the company was launched by the founders of Chinese blockchain project Neo.
Operating on Binance Smart Chain, Ethereum and Polygon blockchains, the company used smart contracts to manage these swaps. Smart contracts are applications that sit on top of the blockchains and contain instructions on when to release the assets to the different parties.
It was a vulnerability in the smart contract which allowed the hacker to get away with the big bundle of cryptocurrencies, tweeted Poly Network on Tuesday. Intelligence gathered by various blockchain security analysts points out that the hacker was able to override the contract instructions for each of the three blockchains and direct the cryptocurrencies to three e-wallets, digital locations for storing the tokens.
Intelligence experts also indicate that the weakness lies with the smart contracts which are software programmes written by people. People are fallible, making mistakes that can be exploited, they said.
Responding to the heist, Nicholas Chan, the CEO of Refinable, said the blockchain technology is is inherently safe. “However, there are many additional layers on an interface and application level that require more work by various industry players to reach maturity.”
The good news is that due to swift action of many companies in the blockchain community, the damages were contained to a certain degree and the hacker has since returned part of the stolen cryptocurrency, he added. Refinable is a Hong Kong based firm operating multi-blockchains that provides a one-stop solution to create, discover, trade and leverage non-fungible tokens.
“We can attribute this to the collective efforts of well-intentioned parties around the world, dedicated to maintaining the transparency, security and integrity of a decentralised party,” he adds.
The nature of blockchain technology is that it is open where everyone can see the cryptocurrencies being moved across the network into the hackers’ wallets. Chan points out that since the transactions are publicly accessible, they provide a deterrent for malevolent behaviour.
“In the centralised financial institution world, an incident like this may have stayed buried and not see the light of day.”
After discovering the heist, Poly Network traced the digital addresses of the e-wallets and asked the community for help. Some crypto exchanges blacklisted these e-wallets to prevent the cryptocurrencies from being moved and stored there.
This is the biggest cryptocurrency heist in history. BBC reports that in the last 12 months there have been other similar attacks: Yearn Finance which lost US$11 million to hackers in February, Alpha Finance, which had US$37 million stolen in the same month; and Meerkat Finance which was drained of US$32 million in March.
What this heist points out is that hackers are powerful and can cause digital fortunes to be wiped out. The question is when will the regulatory authorities move in to regulate the cryptocurrency market.