The hacker of the decentralized finance (DeFi) interoperability protocol Poly Network, that just lost over USD 600m, first asked the protocol for a multi-signature (multisig) wallet to return the funds – and has started returning it.
So far, the hacker returned USD 1.007m, per Polygonscan data. That is a start, but still a long way to go.
After seemingly having some fun with messages asking if a community vote should decide on where the stolen funds should go, the attacker wrote “READY TO RETURN THE FUND!” – as it stands in the comment attached to a transaction executed by the address marked as ‘PolyNetwork Exploiter’. It’s not clear, however, if the hacker was planning on returning all the stolen funds.
But then this confusing soup of a situation thickened.
Poly Network had already posted a letter to the hacker threatening them with law enforcement and stating that the money they took in “the biggest [hack] in the [Defi] history” belongs to the people.
And despite apparently wanting to return the funds hours later, in another transaction, the hacker said: “FAILED TO CONTACT THE POLY. I NEED A SECURED MULTISIG WALLET FROM YOU.”
Hacker: "IT'S ALREADY A LEGEND TO WIN SO MUCH FORTUNE. IT WILL BE AN ETERNAL LEGEND TO SAVE THE WORLD. I MADE THE DECISION, NO MORE DAO"
0xd239b01026c49b234d075e3d23a07efd1c3234239cfb440c0f90d5e84836fbe2 pic.twitter.com/yDc2BwBiO2
— harry.eth (@sniko_) August 11, 2021
Later today, the protocol shared the addresses to which the funds can be returned.
As reported, Poly Network suffered a massive exploit yesterday, seeing the attacker taking off with more than USD 600m. The attack happened on Binance Smart Chain (BSC), Ethereum (ETH), and Polygon (MATIC).
The address on Etherscan, marked as “reported to be involved in a PolyNetwork exploit,” contains USD 183m worth of ERC-20 tokens at the time of writing. Polygonscan shows more than USD 85m, and the BscScan address has around USD 133m.
It is still not clear what exactly happened behind this hack. There are even opinions that it was inside job, though many disagree.
The blockchain security specialist Xiamen SlowMist Technology wrote that “the core of this attack is that the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute specific cross-chain transactions through the _executeCrossChainTx function.” The attacker replaced the address of the keeper role, constructed a transaction at will, and was able to withdraw any amount of funds from the contract.
Similarly, researcher Kelvin Fichter opined that there is a “critical flow” in Poly Network contract called the ‘EthCrossChainManager’.
Why is this target so important? It keeps track of the list of public keys that authenticate data coming from the other chain. If you can modify that list, you don't even need to hack private keys. You just set the public keys to match your own private keys.
— God-like Natural Number Creator Person (TM, R) (@kelvinfichter) August 10, 2021
An engineer who goes by the name ‘El Doggo Diablo’ stressed that the crypto space suffers from “an extreme lack of software security processes.”
Meanwhile, there are reports that quite a few individuals and funds in China, where this and related projects are said to be popular, have been affected by the hack. Investor Michael Gu (a.k.a. ‘Boxmining’) claimed to have been a victim himself, stating that there is nothing he can do about it now.
‘Send me money’
Nearly immediately post-attack, there appeared quite a few of those who were sending messages and/or congratulating the hacker, in hopes that they’d get a tip.
Such comments on Etherscan seem to have been marked as spam. Some still remain though. For instance, Omaz Z Khan said: “Dude, just get all the cryptopunks that you can. SPARE me some eth or just one punk 🙂 Il be indebted.”
“Pls airdrop some fund to us, we are suffering year long due to COVID, thanks in advance,” said ‘meow chia’. User ‘chanlaka’ wrote a longer post, stating that they lost their parents and are only left with their ill younger sister for whom they need to pay the hospital bills.
‘SumYungGuy’ shared a larger post on, basically, how to get away with the money.
“bro just airdrop to all help all people!,” simply wrote ‘justin wong’ who took a more egalitarian approach to the situation.
It even seems that many people have decided to send the attacker bits of their ETH or other currency with messages, apparently hoping to get a lot more in return. “i sent you a tiny bit of matic maybe itll get your attention :/ please change my life,” commented ‘TheBluntsLit,’ who has written quite a few praises.
And the person who was reported to have received an ETH 13.37 (USD 42,930) tip, seems to have had some fun as well.
All txs are some permutation of 1337. Used 133.713371337 Gwei for Gas.
Uses MrGorbachevTearDownThatWall.txt as the message.
Yeah, hanashiro definitely some 4chan turbo degen just entertaining us. pic.twitter.com/fSBkuu1uMb
— Hsaka (@HsakaTrades) August 10, 2021
____
Other reactions:
For anyone still confused, here's the hack depicted as a beautiful gif pic.twitter.com/Shg5Tdf21Z
— God-like Natural Number Creator Person (TM, R) (@kelvinfichter) August 10, 2021
__
Chinese Blogger Chaojijun: I consulted USDT, USDC and BSC for the first time. USDT was frozen. The CEO of USDC said that they wanted to go public legally and not frozen. BSC initially said that it was frozen, but after @cz_binance tweeted, Know that they are not frozen. https://t.co/XyvCK6DRIM
— Wu Blockchain (@WuBlockchain) August 11, 2021
__
scary to see another half a billion of $US is put in unaudited contracts pic.twitter.com/Ri7hsZaFGP
— Loi ThΞ Luu (@loi_luu) August 11, 2021
__
“Message dispatch in Solidity confused by a hash collision from user-supplied input allowing privilege escalation.”
Ah, of course, that’s a thing.
— Patrick McKenzie (@patio11) August 11, 2021
__
How many more hacks does it take for you to move it all to $BTC? 2, 3, 5, 20, 100, yours? https://t.co/jCAjEBypph
— Bitcoin Fool PhD (@bitcoinfool) August 11, 2021
__
savage thread from jedi master dev @fubuloubu on what works and what doesn't for improving tech security/reliability. . . https://t.co/gHQSfjSyTa
— _gabrielShapir0 (@lex_node) August 11, 2021
__
The hacker wants to return the funds. 🤣
This was the dumbest hack and the dumbest hacker in history!
Next he writes a letter of apology. pic.twitter.com/GG2gGOwQiS
— Ran Neuner (@cryptomanran) August 11, 2021
____
Source: Cryptonews
