The Poly Network 600 Million Dollar Hack
Aug 15, 2021
Following what is thought to be one of the biggest (if not the biggest) cryptocurrency heists ever. On Tuesday, August 10th, 2021, Poly Network went to Twitter to ask the hackers who stole $600 Million in cryptocurrency to give it back. In a surprising turn of events, by Wednesday, August 11th, 2021, the hacker(s) returned nearly half of it (CNBC, 2021). By August 13, 2021, Reuters (2021a) reported that the hackers had returned nearly all of the stolen cryptocurrency.
How did all of this happen? Why did it happen? Will we ever know who was behind this frightening event that affected an entire crypto community?
Poly Network is a DeFi platform that provides interoperability services across blockchains (including Ethereum, and the Binance Smart Chain). According to Reuters (2021b), tokens are swapped between the blockchains using a smart contract that contains instructions on when to release the assets to the counterparties. One of Poly Network’s smart contracts was used for liquidity to facilitate swapping tokens between blockchains where, as explained by a Poly Network spokesperson, “the hacker exploited a vulnerability between contract calls” (ZDNet, 2021). This vulnerability was what allowed the hackers to acquire the stolen cryptocurrency.
While the individual (or individuals) behind the Poly Network hack have not yet been identified, Poly Network has stated they believe this was a “white hat” hack (a situation where someone attempts to find cyber vulnerabilities before the bad guys do). It was this perception of the event that prompted Poly Network to offer the hacker(s) a $500,000 “bug bounty” and stating it hoped “Mr. White Hat” would contribute to the blockchain sector’s continued development upon accepting the $500,000 reward, which it had offered as part of negotiations around the return of the digital coins (Reuters, 2021a).
Despite Poly Network’s decision to thank the hacker(s) for exposing a major vulnerability, others, including Gurvais Grigg (CTO at Chainalysis and former FBI veteran) doubt the heist was a white hat event stating that if it had been, it is unlikely the hacker(s) would have stolen as much money as they did. Grigg suggested the hackers, who at one point stated they did all of this “just for fun,” may have returned the money due to the difficulties of laundering it (Reuters, 2021a).
CNBC (2021). Hackers return nearly half of the $600 million they stole in one of the biggest crypto heists. Retrieved from https://www.cnbc.com/2021/08/11/cryptocurrency-theft-hackers-steal-600-million-in-poly-network-hack.html
Reuters (2021a). Crypto platform Poly Network rewards hacker with $500,000 bug bounty. Retrieved from https://www.reuters.com/technology/crypto-platform-poly-network-rewards-hacker-with-500000-bug-bounty-2021-08-13/
Reuters (2021b). Explainer: How hackers stole and returned $600 mln in tokens from Poly Network. Retrieved from https://www.reuters.com/technology/how-hackers-stole-613-million-crypto-tokens-poly-network-2021-08-12/
ZDNet (2021). Poly Network hacker has now returned almost all the $600m in crypto taken. Retrieved from https://www.zdnet.com/article/poly-networks-hacker-has-now-returned-almost-all-the-600m-in-crypto-taken/