How to Steal $600,000,000

(This is a two-minute read)

The biggest crypto news of the last weeks? A $612 million hack of Poly Network, a decentralized finance platform that allows different blockchains to interact with each other.

The application lets users deposit (lock up using a smart contract) an asset on one blockchain to simultaneously use those funds freely on another blockchain.

Today, we’ll take a high-level look at exactly how the hack worked.

First, how is Poly Network supposed to work in the first place?

A user deposits assets in a smart contract on one blockchain and the equivalent assets are released on another blockchain.

To verify that everything is working correctly, Poly Network uses a Proof of Authority sidechain (a different type of consensus mechanism) to verify the transaction, then completes it on the new blockchain.

To do this, Poly Network checks with a specific set of keys. These are the ‘brokers’ that provide confirmation for the transaction.

In this particular case, the hacker exploited a programming oversight to rewrite the keys. He changed the keys Poly Network checks with to his own private keys.

This way, now the new blockchain only checks with the hacker before executing the transaction.

At this point, it was just a question of execution. The hacker didn’t use the network as normally, but instead requested ALL the funds that had been locked up in Poly Network.

The network checked with the hacker, and saw that the transaction was authorized. This way, the hacker was able to steal $273 million in Ethereum, $253 million in Binance Smart Chain, and $85 million in Polygon.

What Does This Mean for Me?

Unless you use Poly Network or work on the project, you’re probably actually better off post-hack. Crypto markets dipped slightly yesterday but went ended the day in the green.

These hacks can often be constructive for the industry as a whole.

As flaws are exploited, mistakes are noticed and much less likely to be made in the future. While the aftermath for Poly Network and its customers will be closely followed over the next few weeks, crypto as a whole is no real danger, and it was the application, not the underlying blockchain itself, that was flawed.

There’s not much information on who will be financially responsible for the loss, but the hacker has already given back $260 million dollars of the hack, with $269 million remaining on Ethereum and $84 million on Polygon. Some in the community cite this as evidence that the hacker is more interested in exposing errors than the money itself, while others say it’s only evidence of how hard it is to hide money on the blockchain and get away with a hack this big.

Jack Niewold

Founder, Crypto Pragmatist

Thanks for reading! This is my newsletter archive, which is mostly updated, but you can read fresh content just like this every day on my daily newsletter. Subscribe for free here and follow me on Twitter here