Bad news for the Poly Network bridge, which fell victim to a hack yesterday morning that resulted in a malicious party undermining as much as $44 billion in BUSD, BNB and SHIB.
This was the second mishap for the platform in 2 years: in 2021 it had been hit by a theft the size of $600 million.
While the amount of the hack is significantly larger in this case, the amount of crypto assets actually sold was far less, as the attacker was unable to monetize the funds due to the absence of liquidity on some blockchains.
Let’s look at all the details together.
Poly Network hack: minted $44 billion worth of crypto
On Sunday, 2 July, the Poly Network bridge, a platform that allows different blockchain networks to interoperate, was hacked forcing the team to temporarily halt its services.
This is the second case of a breach of the protocol, after it was compromised for $600 million in 2021.
Dear users, we would like to inform you that Poly Network is temporarily suspending its services due to a recent attack. We are actively engaging with relevant parties and diligently assessing the extent of the affected assets. 【1/3】
— Poly Network (@PolyNetwork2) July 2, 2023
In this case, the compromised cryptocurrencies amount to a total countervalue of as much as $42 BILLION.
The attacker in question, who is still unknown, managed to exploit a vulnerability in the platforms’ smart contract that allowed him to mint unlimited tokens from the Poly Network pool.
On the technical side, according to a cryptography and web3 expert, the hacker manipulated a function that allowed him to “create a malicious parameter containing a fake validator signature and a block header.”
In detail, about 100 million BNB and and 10 billion BUSD were minted on the Metis blockchain, and 999 trillion SHIB on the Heco network, as well as numerous other minor tokens such as COW, COOK, OOE, STACK and GM on Polygon, Avalanche, BNB Chain and OKX chain.
At first glance, one could say that this represents the largest hack in crypto history, as a truly staggering amount was minted.
However, in truth, the attacker only managed to monetize $5 million, due to the absence of liquidity on the networks that were affected.
In fact, without a pool where the minted cryptocurrencies could be converted, the individual found himself with an incredible amount of worthless coins!
This is because the Poly Network team, following the embarrassing incident, immediately moved to alert on-chain analytics companies and major crypto projects, which blocked the liquidity taps for the affected assets and networks.
In total, the exploit affected 57 different assets, but the ones that were actually sold were only about 20, excluding the billion-dollar amounts in BUSD, BNB, and SHIB.
It is funny to see how the 99 million BNB that were minted by the exploiter and transferred to a second address should be worth $24.8 billion on paper but are actually worth nothing.
Liquidity is everything: monetizing the hack became impossible for the hacker
The case of the Poly Network bridge hack is illustrative of the meaning of the phrase “liquidity is everything” that is often heard resonating when discussing DeFi‘s decentralized protocols.
While in the 2021 hack of the same platform, in which the North Korean group Lazarus managed to get away with a haul of $600 million, in this case the lack of liquidity was crucial in preventing a mass sell-off of multiple cryptocurrencies.
Indeed, a few hours after the incident, all affected infrastructures moved to minimize the impact of the hack by shutting down liquidity pools where the attacker could have converted the coins minted out of thin air.
The Metis blockchain team immediately reassured its community and that of the Binancians that there wasn’t enough liquidity on its network to sell BNB and BUSD, which represented the crypto assets most at risk of sell-off.
Moreover, Changpeng Zhao himself, founder of the crypto exchange, also stated in a timely manner that the incident would not hurt BNB and BUSD, since Binance does not accept deposits on Metis networks.
Without a decentralized pool where minted funds can be swapped, and without a backing exchange where they can be traded, these assets remain worthless.
In general, when hacks like this happen, where assets worth billions are compromised, the cooperation of key centralized infrastructures is critical to prevent disastrous consequences.
While the liquidity taps remain empty, regulators and on-chain tracking companies are trying to trace the identity of the individual who escaped with $5 million in his pocket.
Although there were no serious consequences, this still remains a detriment to the crypto community, which can no longer use certain pools and utilize certain interoperability services.
While we wait to find out new unpublished facts about this interesting story, we can only congratulate the Poly Network team, which managed to get hacked twice in the space of two years, demonstrating incompetence in their activities.
The issue opens up a very interesting debate about the nature of bridges, which are very useful for moving from one blockchain to another but extremely vulnerable as well as a favorite place for crypto pirates who since 2017 have stolen as much as $2.5 billion from this kind of platform.