The Biggest Crypto Hack in History. How It Happened, Why the Hacker Returned All $770 Million, and Why It’s a Great Reminder for Crypto Investors
Jack Choros
Content Marketing
A hacker, or group of hackers, stole $610 million USD from a protocol called Poly Network. That’s $770 million Canadian, marking the largest crypto hack in the history of the industry. The most mind-blowing part of it all? The hacker (or group of hackers) has already returned the stolen funds.
Both the amount stolen in the hack, and the fact that it’s all willingly returned makes this one of the most monumental stories in all of crypto history, and definitely one of the top stories of 2021.
In this edition of Netcoins Progressive Investor, you’ll get what you’re becoming accustomed to. An in-depth look at the story itself (including how the hack happened and why the hacker/hackers returned the funds, and what it can teach investors about the risks and rewards associated with crypto investing.
How Poly Network Got Hacked for $770 Million
A hacker exploited a flaw in the smart contracts of Poly Network to steal approximately $770 million Canadian back on August 10, 2021. Thanks to the transparency that both the Ethereum and Binance Smart Chain blockchains provide, Poly Network was able to pinpoint exactly where the stolen funds were sent and both addresses were provided to the general public via Twitter.
Although the original tweet didn’t mention that $85 million USD worth of the funds were actually stolen via Polygon Network addresses, it did push the subtotal stolen between the three blockchains to almost $770 million Canadian.
Financial figures aside. The step-by-step process used by hackers to acquire the funds is an interesting case study in itself.
Poly Network functions using keepers, which are trusted entities that sign messages which are then validated by the blockchain. Remember, Ethereum and BSC for example can’t talk to each other directly so they need an intermediary that validates messages between the two.
As long as the keepers aren’t malicious, they should only be signing messages that are already completed on Ethereum before relaying that message to another blockchain for example.
Poly Network has a management smart contract on every blockchain that receives signed data from keepers and verifies that everything is correct. If it is marked correct, it is assumed that the transaction has already happened but there is no way to verify this technology.
The transaction is then re-broadcasted on the target chain.
More on the Hacker’s Approach to the Heist
Anytime $770 million in stolen funds exchanges hands in crypto – and thanks to a hack – it’s bad news for the industry. The concern with the Poly Network hack, in particular, was not just about the money, however. The protocol itself is dedicated to facilitating blockchain interoperability, which means users looking to take advantage of Poly Network’s benefits might be exchanging all kinds of different tokens between one another. That means messages can be passed around between chains.
The chief product that Poly Network offers is a bridge where users can move tokens between blockchains by locking the tokens on one blockchain and unlocking them on another. The locked and unlocked tokens should always balance. The hacker managed to unlock tokens without disrupting this balance and without having to leave any tokens locked in themselves.
In the section above, we went over the idea of a management contract signing off on transactions that are already broadcast on an origin blockchain before they get moved to a target blockchain. If the management contract has the admin authority to sign off on transactions, a transaction that is supposed to fail might go through on the target blockchain.
Thus, the hacker put through a transaction that failed on the origin blockchain, but the management contract was able to replace the keepers and the hacker could then register transactions on the recipient blockchain, which allowed the funds to be removed and sent to the hacker’s address of choice.
Poly Network Was Able to Stop Further Damage
Here’s the good news. Poly Network’s main cross-chain swap platform is run by a company called 03 Labs and they were able to suspend swapping on their platform, which limited users from losing even more of their funds.
Tether Limited, the company behind the U.S. Dollar Tether token also chipped in and helped out as the organization was able to freeze $33 million USD worth of tokens before they could be stolen.
Side Note: Why You’ve Probably Never Even Heard of Poly Network
If you search for Poly Network on a big data aggregation website like CoinGecko or CoinMarketCap, you won’t find it, and you’ve probably never used it before yourself. That’s because Poly Network is much more popular in China than it is on this side of the ocean. Nevertheless, it’s still considered a viable project and serves its use case allowing blockchains to message each other.
Why the Hacker Gave Back $770 Million
SlowMist is a company focused on blockchain security. The organization was commissioned not only to try to figure out what happened during the hack but to see if it was possible to uncover the identity of the hacker.
As it turns out, the organization was able to determine that one of the wallet addresses receiving a portion of the $770 million stolen was registered to a user who had completed KYC at a cryptocurrency exchange. The hacker’s identity hasn’t been revealed and there is no word on whether they have been officially identified by any third party.
That said, the popular belief is that the hacker caught wind of all of this and decided to return the funds in full to avoid getting into legal trouble.
There is also another school of thought that says the hacker is an ethical or white-hat hacker, and that they had always intended to return the money and simply wanted to expose and exploit within Poly Network so that the project could do a better job of sealing such an exploit and thus protecting the funds of its users.
This latter idea might be hard to believe but even 03 Labs itself proposed the idea in a tweet.
Why the Hacker Likely Wasn’t a Friendly One
In an interview about the hack, developer Mudit Gupta suggests that the hacker was probably not interested in making Poly Network better or helping anybody. He cites multiple reasons for this.
Number one, Gupta notes that the hacker sent out a tip to a third party in an attempt to find a way to disguise or launder the funds. Secondly, he attempted to create a decentralized autonomous organization (DAO) that would control the funds autonomously and give the hacker access to the funds at a later date upon request.
Lastly, there was speculation that the hacker plans to call out the Poly Network team for creating a bad project or simply that they wanted to troll the project on the Internet at times. All things you wouldn’t do if you are an ethical hacker who intended to return stolen funds from the get-go.
Gupta firmly believes that the hacker changed their intentions when they realized that they might get in trouble.
Using the Blockchain to Broadcast Messages
The hacker is currently communicating with Poly Network using encrypted messages on the blockchain. Other users are sending messages to the hacker to participate in Q and A’s. It’s true! Believe it or not, Gupta says the hacker has participated in at least four different Q and A sessions using encrypted messages. It turns out the blockchain isn’t just good for transferring currencies!
How Crypto Investors Can Avoid Falling Victim to a Major Hack
Nobody knows if or when they will fall victim to a hack on any given day. Hackers are always looking for ways to exploit exchanges, credit card companies, blockchains, and smart contracts. The best mantra you can follow is to avoid investing more than you can afford to lose. There are also crypto insurance platforms like Shield Finance that allow you to use crypto to pay for insurance that covers losses resulting from a major hack or bug.
You should also keep in mind to do your due diligence when investing in a project. Just because a project has a high market capitalization or it’s the hottest trending coin in the industry, doesn’t mean that it was properly vetted or audited by a third party, and it doesn’t mean that there is no risk involved.
Trust Netcoins with Your Crypto
Netcoins is the most trusted cryptocurrency exchange in Canada, register for a free account today and buy Bitcoin, Ethereum, and a handful of other altcoins without paying deposit or purchase fees.
You can use online bill payments or e-transfers to deposit money into your account in exchange for crypto. You can also deposit crypto and exchange it for any other coins offered by Netcoins.
Transferring your coins to a hardware wallet is the easiest way to avoid getting hacked and Netcoins makes it easy for you to do just that!
Now that you’ve read about the biggest hack in the history of cryptocurrency and understand how and why it happened, you can manage your risk and be a better Progressive Investor.
Written by: Jack Choros
Writer, content marketing at Netcoins.