“PolyNetwork was exploited in maybe the biggest hack in the short history of DeFi. Let’s have a closer look at how it actually happened, and what investors should verify before investing in DeFi projects and protocols.
PolyNetwork, an interoperability protocol enabling atomic-cross chain transactions between multiple major blockchains, was just exploited to steal $600 million worth of investor’s crypto on Polygon, Binance Smart chain, and Ethereum. “
“What Exactly Happened?
As reported by CryptoPotato earlier today, PolyNetwork announced that they had been attacked at 8:38 am EST. They immediately listed the addresses to which the anonymous hacker had transferred their funds on the ETH, BSC, and Polygon networks, and called upon miners of the affected exchanges to blacklist them.
The ETH, BSC, and Polygon addresses involved show volumes of $266.5M, $252M, and $85M worth of crypto assets, respectively.
These include WBTC, WETH, RenBTC, DAI, UNI, SHIB, and FEI. This totals to over $600M worth of crypto having been stolen, easily making this the largest DeFi hack to date.
In dollar value terms, this DeFi hack is comparable to the Mt. Gox and BitFinex exchange hacks, which resulted in $500M and $750M of stolen funds at the time of the hacks.
It was soon discovered that the hacker’s initial source of funds was Monero (XMR), a privacy-based coin, which he then converted to ETH, BNB, and MATIC in the exchange.
CEO of crypto exchange OKEx, Jay Hao, has reassured victims that he is addressing the situation:
“@OKEx is already on the case. We’re watching the flow of coins, and will do our best to manage the situation. Our wallet team will get in touch if we need more information.”
“Analysis shows that the nature of the hack was a traditional compromising of user’s private keys, which was made easier due to Smart Contract design decisions by PolyNetwork.
An involved smart contract belonging to the company used a single keeper wallet, which allowed the hacker to sign off on a contract transferring all funds to his address, after obtaining the relevant private key, which may have been done through various methods. PolyNetwork has also not verified their smart contracts using Etherscan.” Cryptopotato