The largest hack in recorded history took place yesterday when attackers exploited a vulnerability that could change the “keeper role” of a blockchain contract and make any transaction such as a withdrawal, according to a Medium post by Poly Network.
Poly Network, a platform that looks to connect different blockchains so that they can work together, confirmed that the vulnerability was due to the leakage of a keeper’s private key.
In a tweet thread, SlowMist confirmed that over $610m was stolen
1)The cross-chain interoperability protocol @PolyNetwork2 was attacked, and a total of more than 610 million US dollars were transferred to 3 addresses. The impact caused the transfer of large assets of the O3 Swap cross-chain pool.
— SlowMist (@SlowMist_Team) August 10, 2021
The security team has also confirmed that it “has got the attacker’s mailbox, IP and device fingerprints through on-chain and off-chain tracking.”
The details of the attack are as follows, according to SlowMist:
“The core of this attack is that the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute specific cross-chain transactions through the _executeCrossChainTx function,” SlowMist explains. “Since the owner of the EthCrossChainData contract is the EthCrossChainManaget contract, [it] can modify the keeper of the contract by calling the putCurEpochConPubKeyBytes function…”
SlowMist goes on to say that the attacker only needs to pass in the carefully constructed data through the verifyHeaderAndExecuteTx function to execute the call to change the keeper role to the address of the specified attackers. “After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.”
The contract attacked was a Bscscan contract and a Etherscan contract, which are now valued at $0. After the attack on the contract was finished, the keeper was modified, which caused other “normal transactions” to be reverted, says SlowMist.
The transactions published by SlowMist and Poly Network show that the exploiter made three withdrawals from the Bscscan contract: $133,023,777.79, $85,519,813.63, $87,594,029.67, $132,907,573.59, $132,907,574.59 and $133,029927.08 (USD). On the Etherscan contract, $93,343,903.87 Ether was withdrawn ($182,628,360.16 USD).
Poly Network took to Twitter to confirm the attack had taken place, addressing the hackers directly: “We want to establish communication with you and urge you to return the hacked assets.”
— Poly Network (@PolyNetwork2) August 10, 2021
In this tweet, the alliance confirmed that the hack is the biggest in the decentralized finance platform (DeFi) history and warns the hackers that law enforcement would consider it a “major economic crime.”
Poly Network has also called on miners of the affected blockchains — BinanceChain, Ethereum and Polygon — to blacklist tokens coming from the published addresses.