Skip to main content

A Curious Crypto Caper Chronicle

The Hack

Earlier this month, a hacker executed a massive crypto heist on PolyNetwork--a decentralized finance (DeFi) platform. The hacker was able to steal more than $600 million in crypto from thousands of users on three separate PolyNetwork blockchains (Binance Smart Chain, Ethereum & Polygon) and involving more than a dozen cyptocurrencies. In other words, this hack was *major*. The PolyNetwork protocol operates on multiple blockchains and allows users to send/receive tokens across these different blockchains using various smart contracts (also known as "bridges"). The hacker exploited a vulnerability in one of these smart contracts which maintains significant amounts of crypto to maintain liquidity and this allowed him to overwrite instructions and redirect all crypto funds to himself. From there, the hacker attempted to move the stolen crypto into various liquidity pools.  

The Blacklist

The hacker was successful in moving some of the crypto. But shortly after the heist, the wallet addresses were published on various platforms along with a request to reject (or blacklist) transactions originating from them. This was partially effective in preventing the hacker from moving hundreds of millions of dollars worth of stolen coins from the identified wallets because the funds were effectively frozen. Because the hacker's loot included Tether (USDT), a centralized stablecoin, approximately $33 million in USDT was frozen by Tether's programmers which essentially made those coins useless as well. 

The Return

This hack is notable for being the largest in crypto history (+$600M). But it is also notable because...wait for it...the hacker RETURNED the crypto. The day following the hack, the hacker, now known as "Mr. White Hat," began to return some of the funds. Over the past few weeks, he has returned almost all the stolen crypto. He claims that the caper was designed to highlight the network's vulnerability and keep the crypto safe from other bad actors. However, many believe that his efforts to move the funds out of the wallets say otherwise. Moreover, there was at least one transaction involving a wallet on an well-known exchange that likely had KYC/identifying information for the wallet owner. Couple the possibility of being identified with the blacklisting of the coins and it starts to feel like the caper maybe just went south and Mr. White Hat was looking for cover. In any event, almost all the funds have been returned to addresses designated by PolyNetwork and they've extended him a job offer and a $500,000 bounty (he hasn't accepted either because, well, jail). 


The Aftermath

DeFi networks will continue to be targets for hackers because of the sheer value of crypto that is transacted on these networks. As a result, users of these networks should pay attention to whether a network's code has been properly audited and should avoid networks that do not perform this critical function. In this case, many believe that PolyNetwork did not audit its code (and that the smart contract was simply poorly coded). Hopefully other DeFi platforms will learn from this saga and the $600 million record will stand for the foreseeable future. 

Comments

Popular posts from this blog

The Rundown on CBDCs

Everyday there is a news report about a country that is "exploring" or "studying" the possibility of developing a central bank digital currency (CBDC). In the past few days, I've read articles about Rwanda, Israel and France looking to pilot programs with CBDCs. And yesterday, the Bank of International Settlements announced its backing of the development of CBDCs. With approximately 80% of central banks around the world taking a closer look at CBDCs, now is as good a time as any to learn more about them. What Are They? A central bank digital currency is exactly what it sounds like--a digital currency issued by a central bank. In the same way our central bank, the Federal Reserve, issues the U.S. dollar, it would similarly issue some official U.S. digital currency ('digital dollar'). This is pretty much where the simplicity of it all ends. Things get really hairy (really fast) when central banks have to figure out how CBDCs fit into a traditional financ

A Changing Tide. But Not Really.

I almost titled this post, "An Open Love Letter to Rep. Darren Soto" but I thought that might be weird. I landed on [whatever it is] because it has recently occurred to me that there may be significant legislation around blockchain coming out of Congress this session. Rep. Soto (FL-09) has been one of blockchain's biggest champions on Capitol Hill and I expect that will continue to be the case. In anticipation of "big things blockin," I thought I'd revisit two blockchain bills that made it out of the House of Representatives during the last congressional session. Given the change in the make-up of the Senate, maybe we'll see them again. But maybe we won't need to see them again....? Stay tuned. The first of the two bills was the Blockchain Innovation Act. This legislation sought to have the Department of Commerce and Federal Trade Commission study the use of blockchain technology in commerce and assess its fraud and security risks and benefits. This

ABCs of DeF(i)

The summer of 2020 is notable for a host of reasons. A pandemic. #BLM protests. USPS shenanigans. But within the blockchain/crypto space, the summer of 2020 will be remembered as "DeFi Summer." Short for "decentralized finance," DeFi refers to a system of automated financial arrangements stored and executed on a distributed ledger such as blockchain. One of my business faves, Mark Cuban, recently touted the potential for DeFi to explode in the next 10 years. I may be biased but I agree; DeFi has the potential to revolutionize finance. Automation is Key We know that blockchain can facilitate peer-to-peer transactions in a trustless environment, that transactions happen without the need for a third party intermediary, and that an immutable record of the transaction is stored on the ledger. In other words, transactions happen automatically and records of transactions are incapable of being changed. This is why bitcoin was created. This is blockchain 1.0. We also know