The News: The Poly Network a Decentralized Finance (DeFi) platform reported on Tuesday that a hacker had made off with $600m, and then the plot thickens with details emerging that almost half of them money has been returned. Read more at Reuters.
What Does the Poly Network Hack Mean for DeFi
Analyst Take: So, what does the Poly Network hack mean for DeFi? The mainstream media narrative is that cryptocurrencies are used by criminals and terrorists because the currencies are anonymous and that of course hacks like this are bound to happen. What this perspective completely misses is the difference between anonymous and pseudonymous, and this is a key nuance in the case of the Poly Network hack. If cryptocurrencies were anonymous then transactions would be able to be processed by people completely in the dark with no ability to trace what happened. As this case and the recent Colonial pipeline hack are proving, is the fact that cryptocurrencies are very traceable. This should come as no surprise to anyone familiar with blockchain technology.
The underlying blockchain networks that provide the backbone of every cryptocurrency are immutable ledgers of every transaction, with details being added to blocks that form the entire history of what has been transferred and to what destination or wallet. Where the nuance comes in is that in many cases we don’t know who owns the wallet. However, if the criminal or terrorist wants to convert the cryptocurrency to fiat currency, then they will need an off ramp, and this will involve a linkage to the legacy financial systems. This is where the likes of Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations provide an extra barrier for criminal activity.
What is the Poly Network?
The Poly Network is built to implement interoperability between multiple chains in order to build the next generation internet infrastructure in a space commonly called DeFi. The Poly Network is basically a smart contract driven platform that facilitates transactions between various different platforms. Poly Network operates through an open, transparent admission mechanism and facilitates communication with other blockchains networks. The Poly Network has already developed integrations between networks such as Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo and Huobi ECO Chain. Think of the Poly Network as a Rosetta stone connecting various DeFi platforms and blockchains in a peer-to-peer network.
$600 Million Stolen From Poly Network is the Largest DeFi Hack Ever
On Tuesday details of the Poly Network hack started to emerge, revealing that some $600 million had been stolen. The hackers had exploited a vulnerability in the smart-contract code the Poly Network uses to move assets between different blockchain to make off with the funds spread across various cryptocurrencies. After the attack, Tether immediately froze $33 million to prevent further damage. The hacker tried to move the coins, including USDT, through Curve.fi, a liquidity pool in Ethereum, but the transaction was rejected. However, about $100 million had been successfully transferred from Binance Smart Chain addresses and deposited into an Ellipsis Finance account.
On Tuesday, CipherTrace, one of the leaders in the rapidly emerging space of on-chain analysis, reported as part of one of its monthly reports that by the end of July 2021, major crypto thefts, hacks, and frauds totaled $681 million. While this number continues to be dwarfed by previous years’ highs, a breakdown of the types of thefts and fraud confirms a trend observed at the beginning of last quarter. DeFi-related crimes continue to grow quarter over quarter, with Q2 2021 netting criminals new highs in DeFi-related proceeds.
One thing we can be certain of is that this hack dwarfs the trend so far this year, with the funds amounting to more than the criminal losses registered by the entire DeFi sector from January to July. If you want to go deep and find out exactly how the hacker tricked the network to move the funds this twitter thread seems to have all the details.
The Poly Network Hack Gets More Bizarre as Hackers (or Hacker) Start to Return Funds
Late on Wednesday, details started to emerge that the hacker or hackers behind Poly Network DeFi heist have returned more than a third of $613 million in digital coins they stole only 24 hours earlier.
Poly Network is keeping everyone updated on progress of the returned funds via a pinned tweet on the company Twitter channel, listing that $260 million (As of 11 Aug 04:18:39 PM +UTC) of assets had been returned in the following breakdown Ethereum: $3.3M, BSC: $256M
Polygon: $1M with the outstanding funds being listed as $269M on Ethereum and $84M on Polygon.
The company behind the Poly Network urged hackers to return the funds and threatened legal action in an effort to compel the return of the funds — and it seems to have worked.
However, the hacker now seems to be positioning the hack as a Robinhood style attack or ‘white-hat’ hack and positioning their actions as a service to the network. The hacker is even asking for donations for their ‘good work’ in exposing vulnerabilities in the network. The hacker has been embedding messages in blocks associated with the transactions with their own addresses to communicate with the world. It was “always the plan” to return the tokens, the purported hacker wrote, adding: “I am not very interested in money.”
I had the chance to speak to CipherTrace late on Wednesday to understand their perspective on the hack and the motivation behind it and the conversation can be summarized with this quote; “In this case, the hacker essentially found an exploit or planted the vulnerability that allowed him to bypass the private keys and have the contract just send the funds to himself,” says John Jefferies, Chief Financial Analyst at CipherTrace.
What Does this Mean for DeFi Going Forward?
What does the Poly Network hack mean for DeFi going forward? The pace of innovation in the DeFi space is so rapid and the amount of VC money flowing into the space is so huge, that it is hard not to be impressed. However, one needs to be pragmatic. The legacy financial system grew to what it is today over hundreds of years and the cryptocurrency and DeFi space has a lot of catching up to do. Building everything from the ground up anew will take time and missteps will happen along the way.
Hacks such as this one are ultimately good in the long run for DeFi, as it will increase scrutiny, governance, and improve the security posture of the networks. In the short term, this high profile Poly Network hack will be jumped on by the ill-informed to degenerate the entire DeFi movement, and while lessons need to be learned for sure, we need to be aware of the progress made so far by the DeFi community is what is in intents and purposes less than a decade old.
As the U.S. Government has largely proven this week with the debate around the Infrastructure Bill, the regulation will largely have to come from within the community as the SEC and FTC and other agencies are struggling to keep up with the pace of innovation and the sheer breadth of the scope of DeFi. I certainly hope that this latest hack gives the innovators an opportunity to pause, reflect and learn the lesson that this latest incident has made apparent.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.