Poly Network alerted its users to the theft on August 10 in the early afternoon and immediately advised them to blacklist the addresses of the hacker responsible for the theft. At the time of Poly Network’s announcement, the company had spotted that the hacker had stolen $273 million in tokens on the Ethereum blockchain, $253 million in tokens on the Binance Smart Chain blockchain, and $85 million in USDC on the Polygon blockchain, for a total of $611 million stolen.
During the day of August 11, cybersecurity experts and firms shared their opinions on social networks, and many theories circulated. The Chinese firm specialized in blockchain cybersecurity BlockSec estimated in a first report that “the hacker could have the right key to identify himself, which would indicate that the keys would have been leaked”, and the hacker Mudit Gupta argued for a while on Twitter, where he is widely followed, that the Poly Network teams were incompetent, or that someone could have voluntarily sabotaged the project, or even been corrupted (he has since deleted his posts and published another analysis).
For now, one theory, developed separately by the specialized firm Slowmist and by an Ethereum developer, seems to have some consensus. It would be a flaw in a function of a smart contract, which would allow changing the identity of its keeper (its owner), and would have thus allowed diverting money to the addresses of the hacker. “According to our observations, this is most likely a planned, organized, and prepared operation beforehand,” Slowmist explained. According to this theory, the hacker would have thus used this particular function in order to gain access to another function, which would have allowed him to access the blockchains. “We believe that in this case, there was no data leakage,” Slowmist teams conclude. Kelvin Fichter, an Ethereum developer seems to come to the same conclusion as Slowmist.
Poly Network’s teams have since confirmed that it was indeed a flaw with smart contracts, but have not given further details. “After an initial investigation, we have located the source of the vulnerability. The hacker exploited a flaw between two contracts, not a key as may have been said.
But the teams didn’t just talk about the hack on Twitter: they addressed the hacker directly. In a message posted just hours after announcing the theft, the teams asked the hacker to return the stolen assets.
The hacker responded to the Poly Network teams in a very particular way: by sending an Ethereum transaction to himself, and writing a message in it. Because his Ethereum address was made public, many observers were able to see the message – including Poly Network members.
Since a few hours, the hacker has initiated a whole series of money transfers. So far, $252 million in tokens on the Binance blockchain have been returned, along with $85 million in tokens on Polygon, and $4.6 million in Ethereum. In total, more than $324 million was returned, according to Poly Network.
The hacker also chose to share his feelings on the site. In a four-part “Q&A”, the person explains that he did the hack “for the fun of it :)”, and that he chose Poly Network in particular because the “interoperability protocols are hot”.
The hacker also explained his motivation for the transfer. “Why did you transfer the tokens? To keep them safe.” He would have spotted the bug by chance and did not immediately know what to do. “I wondered what someone would do when they found out that such a big fortune was at hand. Would asking the Poly Network teams work? Anyone could be a traitor for a billion. I couldn’t trust anyone,” he justifies.
He also went back to how he did it. “I had planned to do an attack on four blockchains: ETH, BSC, Polygon, and HECO. It didn’t work for the HECO blockchain, […]. I should have stopped at that point, but I decided to continue. I thought ‘could they patch the bug without warning anyone?’ But I didn’t want to create a panic in the crypto world, so I chose not to target shitcoins, and not to sell them.”
The hacker, who identifies himself as a white hat, nevertheless acknowledged that he had a somewhat selfish motive. “I wanted to do something cool with this huge amount of money. Then I thought the coolest hack I could do was to be a moral leader. It now remains to be seen whether the full amount stolen will be returned.