Poly Network operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tokens are swapped between the blockchains using a smart contract which contains instructions on when to release the assets to the counterparties.
One of the smart contracts that Poly Network uses to transfer tokens between blockchains maintains large amounts of liquidity to allow users to efficiently swap tokens, according to crypto intelligence firm CipherTrace.
Poly Network tweeted on Tuesday that a preliminary investigation found the hackers exploited a vulnerability in this smart contract.
According to an analysis of the transactions tweeted by Kelvin Fichter, an Ethereum programmer, the hackers appeared to override the contract instructions for each of the three blockchains and diverted the funds to three wallet addresses, digital locations for storing tokens. These were later traced and published by Poly Network.
The attackers stole funds in more than 12 different cryptocurrencies, including ether and a type of bitcoin, according to blockchain forensics company Chainalysis.
A person claiming to have perpetrated the hack said they had spotted a “bug,” without specifying, and that they wanted to “expose the vulnerability” before others could exploit it, according to digital messages posted on the Ethereum network published by Chainalysis. Reuters could not verify the authenticity of the messages.
WHERE DID THE MONEY GO?
Coindesk reported on Tuesday that the hackers had initially tried to transfer some of the assets from one of the three wallets into liquidity pool Curve.fi, but that transfer was rejected. About $100 million was moved out of another of the wallets and deposited into liquidity pool Ellipsis Finance, Coindesk also reported.
Curve.fi. and Ellipsis Finance could not immediately be reached for comment.
But early Wednesday the hackers started transferring assets back to Poly Network and by Thursday morning had returned $342 million worth of tokens, with $268 million stolen from the Ethereum chain outstanding, Poly Network said. Around 10 a.m. ET (1400 GMT) on Thursday, Poly Network said it was still communicating with the hackers, who were gradually transferring back the remaining assets.