The vulnerability of Blockchain infrastructure has been highlighted again as $611 million worth of Cryptocurrencies were siphoned from cross-chain protocol, Poly Network on Tuesday, making it one of the largest crypto heists to date.
Launched by the founder of the Chinese blockchain project Neo, Poly Network enables swapping of tokens on the Binance Smart Chain, Ethereum and Polygon blockchains. All three blockchains were targeted on Tuesdays’ attack.
Poly team has identified and published the three addresses where the attackers stored the stolen funds.
Important Notice: We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker's following addresses: ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71
— Poly Network (@PolyNetwork2) August 10, 2021
Blockchain scanning platform data of the three addresses shows that $273 million in Ether were stolen, along with $253 million in tokens from the Binance Smart Chain and $85 million in USDC on the Polygon network.
Actions After the Hack
The Poly team has already requested miners to block the transactions originating from the three addresses, and the community is following through. Tether has already blacklisted the USDT tokens on Ethereum that constitute roughly $33 million in the stolen proceeds.
“We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses,” the Poly team tweeted.
Additionally, Binance CEO Changpeng Zhao assured coordination with Poly, but highlighted that no one controls the blockchains and ‘there are no guarantees'.
We are aware of the https://t.co/IgGJ0598Q0 exploit that occurred today. While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can. Stay #SAFU. ? https://t.co/TG0dKPapQT
— CZ ? Binance (@cz_binance) August 10, 2021
Around an hour after the attack, the hackers tried to move cryptos including USDT through the ETH address in liquidity pool Curve.fi, but the transaction was rejected. However, another $100 million in assets were moved from the Binance Chain and deposited into liquidity pool Ellipsis Finance.
Though the exact way of breaching the protocol security is not yet known, several blockchain investigation companies have already initiated probes. According to Chinese blockchain security firm, BlockSec, the attack might have been triggered with the leak of private keys or through a bug during Poly’s signing process.
Another Chinese security firm, Slowmist, identified that the attackers used the privacy token Monero as their original funds, which obtained the information from its Chinese exchange partner, Hoo. Furthermore, the company claims that it has identified the attackers’ email address, IP information and device fingerprint.