In a dramatic turn of events, the hacker has returned more than a third of the $611mn stolen funds to PolyNetwork, which is one of the largest Decentralized Finance (DeFi) exploits of all time.
On August 10, an unidentified individual attacked the cross-chain transaction protocol PolyNetwork. The perpetrator stole the money from multiple decentralised crypto chains including Binance Smart Chain, Ethereum, and Polygon Network. The company released the news and the addresses of the hacker.
Stolen funds include around $273 million on Ethereum, $85 million in USD Coin (USDC) on Polygon Network, and $253 million on Binance Smart Chain (BSC).
PolyNetwork revealed that RENBTC, WBTC, WETH, DAI, UNI, SHIB, and FEI were also involved in the heist.
In an open letter, the company threatened to take legal action and asked the hacker to return the money.
Possible Explanations of the Attack
After investigation, the project’s team ascertained that the hackers exploited a vulnerability between contract calls.
Chinese cybersecurity firm SlowMist posted on its Weibo account that it has been able to discover the attacker’s mailbox, IP, and device fingerprints through on-chain and off-chain tracking. It is also tracking possible identity clues related to the attacker.
SlowMist took the help of some exchanges including Hoo. It found that the hacker’s initial source of funds was Monero (XMR). Hacker then exchanged Monero to BNB / ETH / MATIC on the exchanges.
“Combined with the flow of funds and multiple fingerprint information, it can be found that this is likely to be a long-planned, organized and prepared attack”, said the security firm.
BlockSec, another China-based blockchain security firm, said in an initial analysis report that the hack may have occurred by leakage of a private key which allowed the hacker to sign cross-chain messages.
But it also added another possible explanation that a potential bug in the signing process may have been “abused” to sign the message.
Cross-chain developer project O3 Labs suggested that the person behind the massive DeFi exploit could be a white hat hacker.
Early Response from the Hacker
As per data available on blockchain, the hacker is communicating via the input messages on Ethereum transactions, and some significant messages are
“WONDER WHY TORNADO? WILL MINER STOP ME? TEACH ME PLZ!”PolyNetwork Exploiter
It appears that the exploiter was calling for help from tumbling service Tornado to launder the money.
Another message reads that the perpetrator may return the money.
“IT WOULD HAVE BEEN A BILLION HACK IF I HAD MOVED REMAINING SHITCOINS! DID I JUST SAVE THE PROJECT?
NOT SO INTERESTED IN MONEY, NOW CONSIDERING RETURNING SOME TOKENS OR JUST LEAVING THEM HERE”PolyNetwork Exploiter
The third message reads that a DAO should vote on the decision to return the funds.
“WHAT IF I MAKE A NEW TOKEN AND LET THE DAO DECIDE WHERE THE TOKENS GO”PolyNetwork Exploiter
Community’s rescue efforts
“We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses,” PolyNetwork tweeted.
This appeal received a rousing response from the whole crypto community.
OKEx CEO Jay Hao said that the exchange’s team was “watching the flow of coins” and would try their best to control the situation.
Binance CEO Changpeng Zhao offered help by coordinating with security partners “to proactively help”.
Funds returned, albeit in a multi-sig wallet
Maybe it’s because the community has made it difficult for the hacker to use the funds, or the possibility of him being doxxed, or a genuine change of heart, but the hacker has returned all the stolen funds.
In the latest official announcement, PolyNetwork confirmed the hacker has transferred all the remaining assets to a multi-sig wallet that is now controlled by the Hacker and PolyNetwork.
It still remains to be seen how the funds will be returned back to the users, the rightful owners of the funds.
Hacker AMA and change of Heart
The hacker, “Mr. White Hat”, as PolyNetwork is referring them, conducted what appears to be a QnA session with embedded messages on the network.
The hacker revealed that they did not like the initial response from the Poly Network team where the hacker was made to be hated by the community. After the response from Poly team warmed up a little, the communication between the two entities began and the hacker started sending back the funds slowly.
When asked, if they intended to return the funds, why move funds to other protocols. The hacker responded, they hoped to earn interest on stable coins to offset the costs incurred.
DeFi is essentially code, and code can have bugs. Removing bugs is a very tedious and expensive process. Whenever someone exploits bugs, money is lost. That’s why it is one of the favorites of hackers. It is essential for any user to wisely judge the security of any platform before transacting on it, although sometimes even the audit reports cannot find all the vulnerabilities.
Update Note: The article was updated when it was announced the hacker had returned the funds.