Skip to main content

A Curious Crypto Caper Chronicle

The Hack

Earlier this month, a hacker executed a massive crypto heist on PolyNetwork--a decentralized finance (DeFi) platform. The hacker was able to steal more than $600 million in crypto from thousands of users on three separate PolyNetwork blockchains (Binance Smart Chain, Ethereum & Polygon) and involving more than a dozen cyptocurrencies. In other words, this hack was *major*. The PolyNetwork protocol operates on multiple blockchains and allows users to send/receive tokens across these different blockchains using various smart contracts (also known as "bridges"). The hacker exploited a vulnerability in one of these smart contracts which maintains significant amounts of crypto to maintain liquidity and this allowed him to overwrite instructions and redirect all crypto funds to himself. From there, the hacker attempted to move the stolen crypto into various liquidity pools.  

The Blacklist

The hacker was successful in moving some of the crypto. But shortly after the heist, the wallet addresses were published on various platforms along with a request to reject (or blacklist) transactions originating from them. This was partially effective in preventing the hacker from moving hundreds of millions of dollars worth of stolen coins from the identified wallets because the funds were effectively frozen. Because the hacker's loot included Tether (USDT), a centralized stablecoin, approximately $33 million in USDT was frozen by Tether's programmers which essentially made those coins useless as well. 

The Return

This hack is notable for being the largest in crypto history (+$600M). But it is also notable because...wait for it...the hacker RETURNED the crypto. The day following the hack, the hacker, now known as "Mr. White Hat," began to return some of the funds. Over the past few weeks, he has returned almost all the stolen crypto. He claims that the caper was designed to highlight the network's vulnerability and keep the crypto safe from other bad actors. However, many believe that his efforts to move the funds out of the wallets say otherwise. Moreover, there was at least one transaction involving a wallet on an well-known exchange that likely had KYC/identifying information for the wallet owner. Couple the possibility of being identified with the blacklisting of the coins and it starts to feel like the caper maybe just went south and Mr. White Hat was looking for cover. In any event, almost all the funds have been returned to addresses designated by PolyNetwork and they've extended him a job offer and a $500,000 bounty (he hasn't accepted either because, well, jail). 


The Aftermath

DeFi networks will continue to be targets for hackers because of the sheer value of crypto that is transacted on these networks. As a result, users of these networks should pay attention to whether a network's code has been properly audited and should avoid networks that do not perform this critical function. In this case, many believe that PolyNetwork did not audit its code (and that the smart contract was simply poorly coded). Hopefully other DeFi platforms will learn from this saga and the $600 million record will stand for the foreseeable future. 

Comments

Popular posts from this blog

Before You Mint Your NFT

With NFT season taking a bit of a breather (kinda), I thought this would be the perfect time to lay out a few things to consider before minting an NFT.  If you missed the frenzy, well, welcome. "NFT" stands for non-fungible token and these digital tokens represent real world ownership and provenance of a particular asset. NFTs are minted (i.e., produced), stored and transacted (bought/sold/traded) on a distributed ledger like blockchain. Some NFTs represent ownership of tangible assets and some NFTs are digital/virtual assets  (yes, a digital piece of art was purchased for $69M). "Non-fungibility" is a scary word but it essentially means that the asset is unique, cannot be interchanged with another asset, and cannot be replicated. Think of NFTs as either collectibles, like artwork and trading cards, or title to tangible/real property, like real estate and cars.  So with all the excitement having simmered down a bit, below are a few things to think about before you

The Rundown on CBDCs

Everyday there is a news report about a country that is "exploring" or "studying" the possibility of developing a central bank digital currency (CBDC). In the past few days, I've read articles about Rwanda, Israel and France looking to pilot programs with CBDCs. And yesterday, the Bank of International Settlements announced its backing of the development of CBDCs. With approximately 80% of central banks around the world taking a closer look at CBDCs, now is as good a time as any to learn more about them. What Are They? A central bank digital currency is exactly what it sounds like--a digital currency issued by a central bank. In the same way our central bank, the Federal Reserve, issues the U.S. dollar, it would similarly issue some official U.S. digital currency ('digital dollar'). This is pretty much where the simplicity of it all ends. Things get really hairy (really fast) when central banks have to figure out how CBDCs fit into a traditional financ