The Poly Hack and Crypto's Trust Issues

“And now, folks, it’s time for: Who do you trust? Hubba hubba hubba, money money money. Who do you trust? Me, I’m giving away free money. And where’s the Batman? At home, washing his tights!” – The Joker (Batman 1989)

When the Poly Network was hacked early last week for about $600 million worth of various cryptocurrencies, the attack was notable mainly for its size. It’s the biggest crypto hack ever – though not by much over 2018’s $500 million Coincheck hack. From 50,000 feet, it seemed like the logical progression of a series of hacks going back to the exploit that allegedly brought down Mt. Gox circa 2013, itself worth about $473 million at 2014 BTC prices.

In short, despite its size, the Poly hack just wasn’t all that interesting.

Then things got weird.

The hacker reportedly entered multiparty negotiations including Poly, miners, security firm Slowmist and the stablecoin issuer Tether. The nature of those negotiations still isn’t entirely clear, but we do know at least two things: Poly had offered the hacker a $500,000 “bug bounty” to return the stolen funds, and Slowmist claims it identified the hacker’s IP and email addresses (though the hacker denied being compromised).

A third strong hypothesis is that the hacker was beginning to realize he/she/they would have a very hard time liquidating anything close to $600 million in tokens (we don’t know the hacker’s gender, but I’ll be using "he" throughout for simplicity, and because odds are it’s accurate). Binance CEO Changpeng Zhao promised his exchange would “freeze” any hacked funds sent to his platform, while Tether actually took the step to freeze about $33 million worth of its USDT stablecoin taken in the hack.

There may have been other factors, but these alone were likely enough to trigger what came next: The hacker returned the money. By Thursday, Aug. 12, the hacker had placed almost all of the hacked funds (minus those frozen tethers) into a multi-signature wallet shared with the Poly team.

In other words, this is the proverbial dog who caught a car. After pulling off the biggest crypto heist of all time, the hacker didn’t know what to do with their loot.

Now, with help from the Poly Network itself, the hacker is trying to make what in pro wrestling is known as a “face turn”: a sudden transition from villain to hero.

On the morning of Aug. 16, the hacker posted a message via a verified Ethereum address including the following:

“MONEY MEANS LITTLE TO ME, SOME PEOPLE ARE PAID TO HACK, I WOULD RATHER PAY FOR THE FUN. I AM CONSIDERING TAKING THE BOUNTY AS A BOUNUS [sic] FOR PUBLIC HACKERS IF THEY CAN HACK THE POLY NETWORK ... IF THE POLY DON’T GIVE THE IMAGINARY BOUNTY, AS EVERYBODY EXPECTS, I HAVE WELL ENOUGH BUDGET TO LET THE SHOW GO ON.”

“I TRUST SOME OF THEIR CODE, I WOULD PRAISE THE OVERALL DESIGN OF THE PROJECT, BUT I NEVER TRUST THE WHOLE POLY TEAM.”

In other words (to clarify the apparently machine-translated note), the biggest crypto hacker of all time says he did it for the lulz. But also, building on statements made Aug. 11, he claims to be a benign hacker simply out to highlight a design flaw rather than actually steal money. It was “always the plan” to return the funds, he claims – and now he’s even willing to use his own money to pay further “bounties” to hackers who help find and fix exploits in Poly. He’s a full-blown Good Samaritan!

The Poly Network has helped along this face turn immensely by giving the hacker a very flattering nickname while angling for the return of the stolen funds: Mr. White Hat.

“White Hat,” of course, is a reference to a “white hat” hacker. A white hat hacker, in principle, only tests software vulnerabilities to help fix them, rather than to exploit them for gain. A “black hat,” by contrast, hacks for profit or malice.

Poly Network’s motives for pre-emptively dubbing the hacker a “white hat” are pretty clear: It gives the hacker a path to returning the funds and, perhaps, salvaging their reputation. For Poly, the return of funds is the only priority and this strategy is brilliant: You catch more flies with honey than with vinegar, after all.

But aside from Poly’s friendly nickname and his own statements, there’s very little clear evidence that the hacker’s original intentions were good. Among other contradictory evidence, it’s unclear why he would have moved $600 million when the exploit could have been demonstrated with a much smaller hack.

The situation highlights a tension that has grown along with the cryptocurrency ecosystem. “Trustlessness” is a core tenet of crypto, both technologically and philosophically. Broadly, this is a claim that trust can be placed in stable and secure blockchain systems, rather than fallible and selfish humans.

But with growing complexity, competition and stakes, the need for trust in the humans behind crypto has grown. So have the consequences of misplacing that trust. This applies most obviously to users of the Poly Network, who entrusted their funds to it: The various stolen tokens had been entrusted to the protocol, which acts as a custodian as part of its cross-chain functionality.

But the hack drives home the fact that they weren’t really trusting the system – they were trusting the network’s designers and coders. That trust has been shaken by the apparent flaws in their code. Poly is not alone in that, by a longshot: as mentioned, hacks and exploits have become frequent, particularly in decentralized finance (DeFi) systems, whose complexity makes them inherently more vulnerable than a simpler system like Bitcoin.

As CoinDesk’s Daniel Kuhn has argued, these hacks can be seen as part of the process of making these systems more secure. The hacker, whether it was his initial intent or not, has made Poly stronger.

Nonetheless, these hacks highlight an uncomfortable truth: In DeFi, the reputation of the people building the systems matters. And the Poly hack specifically shows one reason this is a problem. Poly is a project in part backed by the team behind Neo, a blockchain founded in China in 2014. For a person in the U.S. or Europe to trust them requires crossing the very barriers of language, geography and politics that crypto was supposed to dissolve.

Instead, the gap has fostered some outright conspiratorial thinking about Poly’s motives. This morning, Poly announced that it would offer Mr. White Hat a role as its Chief Security Advisor. This is most likely part of the network’s honey-dripping strategy to stay in the hacker’s good graces. But it has also triggered speculation that the hack itself was an inside job intended as a marketing stunt.

Another major aspect of trustlessness in crypto is finality. In Satoshi Nakamoto’s 2008 white paper describing Bitcoin, he writes that “completely non-reversible” transactions are a feature, not a bug, of the system: “With the possibility of reversal, the need for trust spreads.” Ultimately, that’s because reversibility requires an arbiter – a dreaded “third party” with the power to decide who’s in the right, then stop or return transactions. But eliminating third-party intermediaries is the entire point of cryptocurrency, the feature that makes it unique among digital payment tools (and, at least in modern times, among currencies as a whole).

What I’m getting at here, of course, is tether. The stablecoin is a major underpinning of the entire cryptocurrency ecosystem, with a market cap of $63 billion and a key role in facilitating trading. Most users likely think of tether as a “cryptocurrency” roughly akin to bitcoin, but its response to the hack puts the lie to that.

By freezing $33 million involved in the hack, the company behind tether demonstrated it is a “trusted intermediary.” Just like a bank (which it effectively is, in many senses), Tether has demonstrated that it can freeze any funds moving on the network, at any time. When you use it, you’re placing faith in Tether’s central administrators not to freeze your funds. (The same, to be clear, is true of tether competitor USDC, though Circle, the company behind USDC, chose not to intervene in the current case.)

And so, grim as it may be, it’s inarguable that crypto systems now increasingly invite the same timeless philosophical quandary we face when dealing with the traditional financial system:

Hubba hubba hubba, who do you trust?