In the cryptocurrency world, there have been several hacks over the years that have decimated users and exchange platforms alike. And in the decentralized world this is even more true because hackers frequently feel they can get away with coins more easily when there is less third-party oversight. And in August 2021, the Poly Network became the next platform to experience a hack, one that is being called the largest of all time to date.
On August 10th, 2021, the Poly Network was hacked. Cryptocurrency was stolen from multiple platforms on the network all at once, allowing the hacker to transfer over $610 million in various cryptocurrencies to his own wallets. Thus the network administrators had to take drastic action to keep the thief from getting away with the funds.
Keep reading to find out more about the Poly Network hack, the response by the company behind the network, and the unusual aftermath that followed.
The Poly Network Hack
The Poly Network is a decentralized platform that allows its users to trade cryptocurrencies on a peer to per basis without an overseeing third party. The cool thing about the Poly Network, is that users can actually swap across different blockchains. This means that you can swap Bitcoin to Ethereum, or even to something like Tether, depending on what cryptocurrency you need for a particular project. This platform was created by the founders of Neo, a Chinese blockchain project and it operates on Ethereum, Polygon, and Binance Smart Chain.
In order to allow users to swap cryptocurrencies between blockchains, the smart contracts running on the Poly Network need to maintain a lot of liquidity to allow for quick execution of transactions. This means that the Poly Network keeps large amounts of several different currencies in pools for its smart contracts to pull from.
The hacker took advantage of these sitting liquidity pools, finding a bug in the code that allowed him to override the smart contract and transfer all of these funds to his own personal wallets—of which he had three. By the end of the heist, the hacker had stolen more than 12 types of cryptocurrencies with a value of over $610 million US dollars.
The Poly Network Responds to the Hack
The problem with hacks is that they happen so fast that a company typically can’t stop them while they are being carried out. But the company Neo, behind the Poly Network, noticed very quickly that a large portion of their liquidity pools had been stolen and delivered to three different wallet addresses. Because cryptocurrency is decentralized, they couldn’t freeze or stop the wallets, but they did something that is arguably even worse. The company put a note out to all miners, exchanges, and users of the blockchain not to accept transactions from the three wallet addresses. This is what is known as blacklisting, and it effectively made the hacker unable to liquidate his $610 million in pillage.
The Poly Network Hacker Gives the Money Back
Because of the fact that the Poly Network locked the thief’s funds, what happened next shouldn’t come as too much of a surprise. The thief who hacked the Poly Network actually said he would return all the money he stole less than 24 hours after he stole it. According to an unverified message, the hacker claims that he never intended to steal the money, but rather just wanted to teach the Poly Network a lesson and expose the vulnerabilities in the system. This is quite suspicious, because after the hack on August 10th, the hacker immediately tried to transfer $100 million to another decentralized exchange platform known as Curve.Fi. But because of the quick thinking on behalf of the Poly Network, this transfer was rejected.
This was apparently enough for the hacker to realize that he was playing in a field that was out of his league and on Wednesday August 11th, 2021, the hacker returned over $260 million in assets. This however left $353 million still missing. According to the Poly Network, they were in deliberations with the individual and working on recovering everything that was stolen. On Friday August 13th, almost all of the remaining $353 million was returned, except for about $33 million that remains in frozen Tether assets. As of the writing of this article, the Tether has still not been returned, but this is mainly due to a failsafe mechanism the Tether platform placed on the stolen funds shortly after the heist. Supposedly the hacker is still in contact with the Poly Network developers and is working with Tether to return these final stolen funds.
Will the Thief Ever Face Prosecution?
One of the biggest problems in the DEFI cryptocurrency world, is when a platform is decentralized, they don’t require any KYC information from their customers. This means that although vigilante blockchain monitoring sleuths have discovered some digital information about the hacker’s online presence, little is known about the thief in real life. And in the cryptocurrency world, it is very difficult to get the police or FBI involved because many of these DEFI platforms operate outside of the US, or outside of US regulation. Therefore all Poly Network can do is rely on the vigilante sleuths who can only go off of blockchain information left by the thief, some of which can be manufactured using tools like a VPN.
Honestly, although the thief won’t be going to court or jail, he likely learned his lesson—well he learned that getting away with stolen funds wasn’t as easy as he thought it would be anyway. Hopefully he won’t try a heist of this size again, but if he does, whatever platform he targets better watch out, because next time he will likely have a contingency plan for liquidating the funds.
Overall, you shouldn’t let one hack scare you away from becoming involved in the DEFI cryptocurrency world. If anything, this hack shows that it is possible to have a DEFI network that operates safely and is able to protect users’ investments—well they were this time anyways. Just remember that any time you use a DEFI platform that there is some risk involved and that you should always vet any company before placing your hard-earned money on their platform.