Earlier this month, a hacker executed a massive crypto heist on PolyNetwork--a decentralized finance (DeFi) platform. The hacker was able to steal more than $600 million in crypto from thousands of users on three separate PolyNetwork blockchains (Binance Smart Chain, Ethereum & Polygon) and involving more than a dozen cyptocurrencies. In other words, this hack was *major*. The PolyNetwork protocol operates on multiple blockchains and allows users to send/receive tokens across these different blockchains using various smart contracts (also known as "bridges"). The hacker exploited a vulnerability in one of these smart contracts which maintains significant amounts of crypto to maintain liquidity and this allowed him to overwrite instructions and redirect all crypto funds to himself. From there, the hacker attempted to move the stolen crypto into various liquidity pools.
The hacker was successful in moving some of the crypto. But shortly after the heist, the wallet addresses were published on various platforms along with a request to reject (or blacklist) transactions originating from them. This was partially effective in preventing the hacker from moving hundreds of millions of dollars worth of stolen coins from the identified wallets because the funds were effectively frozen. Because the hacker's loot included Tether (USDT), a centralized stablecoin, approximately $33 million in USDT was frozen by Tether's programmers which essentially made those coins useless as well.
This hack is notable for being the largest in crypto history (+$600M). But it is also notable because...wait for it...the hacker RETURNED the crypto. The day following the hack, the hacker, now known as "Mr. White Hat," began to return some of the funds. Over the past few weeks, he has returned almost all the stolen crypto. He claims that the caper was designed to highlight the network's vulnerability and keep the crypto safe from other bad actors. However, many believe that his efforts to move the funds out of the wallets say otherwise. Moreover, there was at least one transaction involving a wallet on an well-known exchange that likely had KYC/identifying information for the wallet owner. Couple the possibility of being identified with the blacklisting of the coins and it starts to feel like the caper maybe just went south and Mr. White Hat was looking for cover. In any event, almost all the funds have been returned to addresses designated by PolyNetwork and they've extended him a job offer and a $500,000 bounty (he hasn't accepted either because, well, jail).
DeFi networks will continue to be targets for hackers because of the sheer value of crypto that is transacted on these networks. As a result, users of these networks should pay attention to whether a network's code has been properly audited and should avoid networks that do not perform this critical function. In this case, many believe that PolyNetwork did not audit its code (and that the smart contract was simply poorly coded). Hopefully other DeFi platforms will learn from this saga and the $600 million record will stand for the foreseeable future.