According to a postmortem analysis concluded on the recently breached Poly Network, it seems that the hack can be primarily attributed to stolen or misused private keys. This revised view contradicts the initial assumption that a logical bug in the smart contract may have been responsible. Dedaub, the entity that reported the exploit, estimates the hack to be worth a “notional $34b”; however, due to the majority of token amounts being illiquid, the actual stolen amounts were significantly lower.
Regrettably, about two years ago, Poly Network had already faced an exploit resulting from a greyhat attack.
Following the exploit, the Poly Network team paused their smart contracts on several chains. Reconstructing the attack, the Dedaub team also mentioned that three out of four Poly Network keepers had their private keys attacked.
The architecture of the Poly Network allows tokens to be transferred from a source chain (referred to as “lock”) to a destination chain (referred to as “unlock”). As a cross-chain management contract network, the contracts are designed to accept proofs of token ownership.
This process, facilitated by consensus nodes, involves a root with a header displaying the locked tokens on the original chain. Prior to initiating and completing a process, the header is signed. The Dedaub team discovered that the exploit’s header was correctly signed by three centralized keepers, which remained unmodified prior to the attack.
Subsequently, the attacker executed the exploit by leveraging the verifier’s implementation, taking advantage of zero-length witnesses. Additionally, the attacker submitted an empty path proof for consensus. The analysis supports the hypothesis that Poly chain keepers were likely compromised and signed an artificially constructed state root. The only information contained in the root was an unlock command that sent tokens to the attacker, as further explained by Dedaub.
However, despite the explanation, there is no definitive proof that the exploit resulted from stolen keys. Other possible causes include a rug pull or compromised off-chain software running on 3 out of 4 of the keepers.
While Dedaub evaluated the exploit, the attacker had initiated transactions on multiple chains to execute it.
The Poly Network team has urged project teams and token holders to withdraw their assets and unlock their LP tokens. They revealed that the exploit affected 57 crypto assets across 10 blockchains.
While Poly Network did not disclose the exact amount stolen, PeckShield reported that the attacker transferred at least $5 million worth of crypto from their wallet, which held approximately that amount from Dedaub.
It is important for users to be aware that Poly Network has temporarily suspended its services.
What do you think of this article? Share comments below.