Analysis of Poly Network’s $10 million loss attack

On July 1, 2023, an attacker utilized a vulnerability in Poly Network to mint assets worth $42 billion across multiple chains. Although a large number of assets were issued, the attacker was unable to retrieve over $10 million in assets from five external account addresses due to low liquidity and partial project token freezes.

This is the first cross-chain bridge attack event to occur this year and the second attack on Poly Network. Last year’s attack resulted in a total loss of $3.7 billion, of which cross-chain bridge attack losses accounted for 35%. Although this event appears to be the largest-ever vulnerability attack in terms of involved amount, the hacker’s actual earnings are much lower.

Event Summary

At 2:47 pm Beijing time on July 1, 2023, a malicious actor transferred assets from Poly Network’s Lock Proxy contract to the attacker’s address by initiating several cross-chain bridge transactions. On paper, the attacker profited from over $42 billion worth of assets across ten chains.

Image: Poly Network attacker wallet address. Source: Debank

However, this number is misleading. For example, the attacker holds over $34 billion worth of Poly-pegged BNB and BUSD on the Metis blockchain, but these tokens cannot be sold due to lack of liquidity. Later, Metis also confirmed in a tweet that the newly minted BNB and BUSD had no available liquidity and were therefore worthless.

Similarly, a large amount of the remaining tokens became worthless. Several projects quickly took action to remove liquidity upon hearing of this event and the tokens issued by the attacker to prevent token dumping and price collapse. For example, OpenOcean, StackOS, Revomon, and NEST all removed liquidity for their projects to prevent the attacker from selling.

Revomon Twitter

Although the $42 billion figure does not accurately reflect the losses caused by this event, CertiK has confirmed that at least $10 million in assets were deposited in five Ethereum wallets.

Cross-chain Bridge Vulnerabilities

In 2022, security incidents affecting cross-chain bridges led to $1.3 billion in economic losses, which were caused by only five events. Therefore, the destructive power of cross-chain bridge security vulnerabilities is evident. Protecting cross-chain bridges is difficult, and with their high value and various attack pathways, these infrastructures are often the preferred targets of malicious actors. Cross-chain bridges consist of multiple parts, including custodians, issuers, and oracles. Due to the large amount of funds locked on the bridge, any misconfiguration, vulnerability, or malicious exploitation can lead to significant losses.

Attack Process

Poly Network bridges assets between different networks using “Lock” and “Unlock” functions. Users must “Lock” tokens on the source chain before they can “Unlock” them on the target chain.

The following example is based on a cross-chain transfer from BSC to ETH.

①The attacker first called the Lock function on the BSC network to initiate a small cross-chain transfer of 8BlockingY tokens.

Image: The attacker initiated a cross-chain transfer of a small amount of 8BlockingY tokens. Source: Etherscan

In this transaction, the data was specified as starting with “0x4a14feea0bdd3d07eb6fe305938878c0cadbfa16904214e0afadad1d93704761c8550f21a53de3468ba599e80300000000000000000000000000” with the first “0x4a” four bytes representing the length of the data.

②The attacker called the EthCrossChainManager.verifyHeaderAndExecuteTx() function, triggering the corresponding UnlockEvent “Unlock” function. We can see from the first four bytes representing the data length that the current transaction data has been changed.

“0x14feea0bdd3d07eb6fe305938878c0cadbfa16904214e0afadad1d93704761c8550f21a53de3468ba59900e00fc80b54905e35ca0d000000000000000000000000000000000000000000”

In this transaction, the amount of 8Blockingy tokens has increased significantly.

③The attacker repeated this process by following the above steps. It involved 57 tokens distributed across 11 different blockchains. The attacker gained assets worth about $4.2 billion (at face value).

Image: Tokens unlocked on Ethereum by Poly Network attackers. Source: Etherscan

Asset Tracking

On the Ethereum network, the attacker successfully converted some tokens into ETH. The process is as follows:

During the attack, the attacker also transferred 1592 ETH (about $3.05 million) through a transaction and transferred 2240 ETH to three EOA external accounts. In addition, the attacker obtained about 3.01 million USDC and 2.65 million USDT, which were exchanged for 1557 and 1371 ETH, respectively.

The attacker moved the remaining token assets to a new EOA address and transferred 1 ETH to each address, though they have not cashed out the tokens yet. As the project owner removed liquidity from the tokens to prevent dumping, some of the tokens became worthless. As of now, the attacker seems to have gained only about $10 million from the incident.

Image: Poly Network attacker transferred assets and 1 ETH to a new EOA address

Conclusion

In 2022, the Web3.0 ecosystem has experienced devastating effects of cross-chain bridge attacks. Projects such as Ronin Bridge, Wormhole, Nomad have all been affected by security incidents. The initial findings from the Poly Network incident show that this is the largest security event the Web ecosystem has faced so far, but losses have been contained to around $10 million due to the lack of liquidity support for newly minted tokens. There is currently no consensus on how the attacker will utilize Poly Network. However, preliminary indications suggest that it is likely due to private key leaks or off-chain vulnerabilities since on-chain functionality is operating normally.

Like what you're reading? Subscribe to our top stories.

We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!

Follow us on Twitter, Facebook, YouTube, and TikTok.

Share:

Was this article helpful?

93 out of 132 found this helpful

Gambling Chain Logo
Industry
Digital Asset Investment
Location
Real world, Metaverse and Network.
Goals
Build Daos that bring Decentralized finance to more and more persons Who love Web3.
Type
Website and other Media Daos

Products used

GC Wallet

Send targeted currencies to the right people at the right time.