Bitcoin
$63,522.05+3.79%
Ethereum
$3,064.89+2.55%
Binance Coin
$552.04+3.00%
Solana
$140.97+4.61%
XRP
$0.50206140+1.56%
Toncoin
$6.50+5.65%
Dogecoin
$0.15310195+3.41%
Cardano
$0.45655130+2.29%
Shiba Inu
$0.00002287+3.29%
Avalanche
$35.05+3.12%
Wrapped Bitcoin
$63,608.63+5.74%
Tron
$0.10940397-0.95%
PlayIconNav
Crypto Prices CoinDesk 20 Index CoinDesk 20 Index
Consensus 2024Price Increase Extension Ends In
01
DAY
21
HR
44
MIN
41
SEC
Markets

Cross-Chain DeFi Site Poly Network Hacked; Hundreds of Millions Potentially Lost

DeFi platform Poly Network was attacked on Tuesday, with the alleged hacker draining roughly $600 million in crypto.

By Eliza Gkritsi, Muyao Shen
AccessTimeIconAug 10, 2021 at 1:56 p.m. UTC
Updated Sep 14, 2021 at 1:37 p.m. UTC
hacker code computer hands
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Cross-chain decentralized finance (DeFi) platform Poly Network was attacked on Tuesday, with the alleged hacker draining roughly $600 million in crypto.

Poly Network, a protocol launched by the founder of Chinese blockchain project Neo, operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tuesday's attack struck each chain consecutively, with the Poly team identifying three addresses where stolen assets were transferred.

At the time that Poly tweeted news of the attack, the three addresses collectively held more than $600 million in different cryptocurrencies, including USDC, wrapped bitcoin, wrapped ether and shiba inu (SHIB), blockchain scanning platforms show.

"We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses," the Poly team tweeted.

The $600 million figure would place the Poly Network hack among the largest in crypto history.

Tether froze approximately $33 million in relation to the hack, Tether CTO Paolo Ardoino tweeted.

About one hour after Poly announced the hack on Twitter, the hacker tried to move assets including USDT through the Ethereum address into liquidity pool Curve.fi, records show. The transaction was rejected.

Meanwhile, close to $100 million has been moved out of the Binance Smart Chain address in the past 30 minutes and deposited into liquidity pool Ellipsis Finance.

The Poly team could not be reached for comment at the time of publication.

Poly Network was the second Chinese interoperability protocol to be featured on the government-backed Blockchain-based Service Network.

Anatomy of an exploit

BlockSec, a China-based blockchain security firm, said in an initial attack analysis report that the hack may be triggered by the leak of a private key that was used to sign the cross-chain message.

But it also added that another possible reason is a potential bug during Poly's signing process that may have been "abused" to sign the message.

According to another China-based blockchain security firm, Slowmist, the attackers’ original funds were in monero, a privacy-centric cryptocurrency, and were then exchanged for BNB, ETH, MATIC and a few other tokens. 

The attackers then initiated the attacks on Ethereum, BSC and Polygon blockchains. The finding was supported by Slowmist’s partners, including China-based exchange Hoo.

“Based on the flows of the funds and multiple fingerprint information, it is likely a long-planned, organized, and well-prepared attack,” Slowmist wrote.

In a response to the attack, a spokesperson from Binance Smart Chain told CoinDesk that as a “decentralized” blockchain, protocols and users on BSC need to take security measures “extremely seriously.”

“We are aware of the Poly exploit that has affected Ethereum, Polygon and BSC users,” the spokesperson said. “Recently, several trustless bridges have become victims of such critical attacks and we recommend security audits and necessary due diligence prior to interacting with any projects.”

The spokesperson said BSC is currently working with its security partners to provide as much support as possible to the ongoing investigation.

The Poly Network incident shows how nascent cross-chain protocols are particularly vulnerable to attacks. In July, cross-chain liquidity protocol Thorchain suffered two exploits in two weeks. Rari Capital, another cross-chain DeFi protocol, was hit by an attack in May, losing funds worth nearly $11 million in ETH.

“As evidenced by all the exploits we’ve seen, cross-chain is a very hard area … with the added complexity of connections with every other chain and all their idiosyncrasies,” Ryan Watkins, a research analyst at blockchain data firm Messari, said.

UPDATE (Aug. 10, 14:30 UTC): Adds information about the wallet addresses and Tether's move.

UPDATE (Aug. 10, 14:54 UTC): Adds information about funds moving out of the Binance Smart Chain address.

UPDATE (Aug. 10, 17:36 UTC): Adds comments from Slowmist and Messari.

UPDATE (Aug. 10, 18:02 UTC): Adds analysis by BlockSec on the possible causes of the hack.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.