The Poly Network Crypto Heist and DeFi, Explained

"It’s not about the money… it’s about sending a message."

This is a line that has fit almost organically into a number of heist stories in the pop-culture genre. Now, it is fitting itself into the reality of our times by exhibiting a most peculiar honour among hackers, so to speak.

On August 10th 2021, hackers stole cryptocurrencies worth more than $600m from Poly Network, a decentralised finance (DeFi) platform. Some have referred to it as the “largest crypto heist” in recent years. But the real twist came when a part of the stolen asset (over $260m) was returned a day later.

Regardless of what prompted this change of heart, the heist has unleashed quite a panic among crypto investors, companies as well as law enforcement agencies. Rise in cryptocurrency thefts has taken a major lift in recent times due to a number of factors ranging from the evolutionary nascence and laxity in security protocols to easy access and inherent anonymity in use.

Let’s take a look at the specifics of the recent heist and what led us here.

The Breach

Poly Network, the platform which was robbed, is a DeFi platform which uses digital assets for lending and other financial transactions. It was founded by Da Hongfei, an entrepreneur based out of China, who is credited with the establishment of several other blockchain-related companies including Neo, a well-known Chinese DeFi project.

DeFi is essentially a broad term which covers all types of financial applications based on blockchain technology. The goal of DeFi is to cut out intermediaries — banks, brokerages, exchanges etc. Hence, “Decentralised Finance”.

Polygon’s business is one such application of DeFi. It is a platform built to implement interoperability between multiple blockchains like Bitcoin, Ethereum, Binance Smart Chain, Ontology etc. It facilitates peer-to-peer transactions and enables users to transfer or swap coins across different blockchains.

What Was Stolen?

The following constitute the largest share of the stolen haul — $273m worth Ethereum tokens, $253m in Binance Smart Chain tokens and $85m in USDC coins.

As is evident, most of the stolen assets were cryptocurrencies (largely Ethereum) or tokens backed by cryptocurrencies (like Tether) or novelty spinoff coins like the Shiba Inu coin which was inspired by Dogecoin.

Millions of dollars worth these assets were transferred to separate cryptocurrency wallets by the hackers. A heist of such scale, even bigger than the $460m hack on Mt. Gox crypto exchange in February 2014, was alarming enough for other crypto networks to try and fortify their own reserves for the time.

For instance, Tether, a stablecoin designed to mimic the value of the US Dollar, effectively froze close to $33m worth in tokens associated with the alleged hackers’ wallet address.

The “Hows” of the Breach

Although Poly Network released very limited information on the mechanics of the heist, it was attributed to a vulnerability between the “contract calls” which was likely exploited by the hackers to gain access to the assets.

This is a reference to the “smart contracts” which use computer programs to execute a contract. The program code represents the terms between the parties to the contract. Terms like, say, when and how to swap coins between different blockchains, as is done on the Poly Network platform. Poly Network essentially uses these smart contracts to transfer tokens between different networks.

But due to its reliance on blockchain (which maintains record of the contract), the security of the data is dependent on the security of the blockchain protocol, which may be vulnerable due to poor coding.

This vulnerability was likely used by the hackers to gain access to Poly Network which also happens to hold Ethereum, the world’s second-largest cryptocurrency platform, and has at least 32,000 smart contracts on its blockchain. The hackers seem to have overridden the contract instructions for at least three different blockchains and diverted funds to three wallet addresses.

Hackers’ Whereabouts

The identity of the hackers remains unknown (big surprise!).

However, SnowMist, a cybersecurity firm, claims to have traced some of the messages left by the hackers on the blockchains to decipher their IP address, mailbox, and device fingerprints. Some also suggest that the difficulty associated with converting the stolen coins into cash may have forced the hackers’ hands to return the funds.

One of the suspected hackers reportedly left a note in the blockchain taking responsibility for the attack with the intent “to expose the vulnerability before anyone exploited it”. It may have gained the world’s attention but it still doesn’t make it easier for the hackers to withdraw the funds without drawing scrutiny.

Poly Network has also started making appeals to blockchain networks to freeze the suspected hacker wallets connected with the heist which would make it more difficult for them to retrieve the funds sitting in blacklisted wallets. The return of funds was therefore more of a survival strategy than a Robinhood-like saviour instinct.

In any case, the breach hasn’t materially affected the values of assets (i.e. Cryptocurrencies) that were stolen. Ethereum, the Shiba Inu coin and most other coins were trading as usual with marginal increases or decreases in the aftermath of the heist.

The DeFi Hack Prospects

As the cryptocurrency sector continues to mature with more exchanges, wallets and digital assets hitting the financial landscape, it also witnesses an increase in cases of theft and misappropriation. Hackers have begun shifting their focus away from large cryptocurrency exchanges and wallets to DeFi platforms.

By July 2021, DeFi-related hacks and frauds totalled close to $361m making up almost 75% of the total hack volume this year, which is a 2.7x rise from 2020.

What makes DeFi applications vulnerable to external exploits is their easy access. Most of the DeFi protocols are permissionless which means they don’t have regulatory compliance and thus anyone on the web can freely access their codes.

Hackers have also capitalised on the large investor appetite of the DeFi projects. The success of these projects depends on composability which means that if more projects are linked, the more value they can offer. So, in a way, the ability to attract more investors also opens the door for hackers.

There has also been a rise in “rugpulls” which includes DeFi crimes conducted by insiders. Almost a quarter of all DeFi-related crimes (year-to-date) have been in the nature of rugpulls which total up to $113m in value.

Besides, there’s a new phenomena called “flash loan attacks”. Flash loans are unsecured loans (no collateral or KYC needed) that are executed on a blockchain through smart contracts. The existence of smart contracts always indicates the possibility of a bug or loophole which can be used by hackers to manipulate the terms of the contract and amass huge profits fraudulently.

The dydx and PancakeBunny incidents are classic examples of flash loan attacks and the unfortunate rise in similar incidents could cause a dent in the “digital gold” value proposition story of cryptocurrency and related applications like DeFi.

Between the unpleasant proliferation of cyber crimes like (ransomware, phishing etc.) and the involvement of cryptocurrencies in those crimes (for payment purposes or asset values), it seems clear that the days of regulatory wilderness for blockchain derivatives may soon come to pass. Attacks like these which impact millions of dollars of investments could force the regulatory will to reign in the unrestrained operation of cryptocurrencies by introducing appropriate safeguards.

(Originally published August 14th 2021 in transfin.in)