The Poly Network protocol was the target of the largest DeFi attack to date. In total, the attacker managed to drain the equivalent of $600 million in cryptocurrencies. However, it seems that he does not want to keep the funds.
The largest DeFi attack in history
We relayed the information early yesterday morning on the Coin Journal, the cross-blockchain protocol PolyNetwork has been the target of a large-scale attack. As a reminder, PolyNetwork is a protocol that acts as a gateway between Ethereum, Polygon and the Binance Smart Chain, so that liquidity can flow between these different blockchains.
In a rather classic way in the DeFi context, the attacker took advantage of a flaw present in the call of some smart contracts, as PolyNetwork explained on Twitter:
“After a preliminary investigation, we have located the cause of the vulnerability. The hacker exploited a vulnerability between contract calls, the exploit was not caused by the single custodian as rumored.”
In total, $273 million on Ethereum, $85 million in USD Coin (USDC) on the Polygon network and $253 million on the Binance Smart Chain were stolen by the attacker, a sadly historic record.
Reversal of the situation: towards the return of the funds?
After this attack, the protocol teams tried to contact the attacker in order to get him to return the funds.
A few hours ago, the attacker gave a sign of life via a message linked to a transaction he sent to himself. Thus, he says he is ready to return the funds.
In a second message, he explains that he has not managed to contact the PolyNetwork teams and asks them to set up a multi-sig wallet to receive the funds.
DID NOT MANAGE TO CONTACT THE POLY TEAMS. I NEED A SECURE MULTISIG WALLET FROM YOU.
Following this message, PolyNetwork’s teams hurriedly set up three addresses located on the three blockchains exploited so that the attacker could return the funds.
Unfortunately no activity has been recorded on any of these addresses at this time.
Negotiations likely underway
Based on screenshots available on Twitter, it appears that the attacker and PolyNetwork teams are in the midst of negotiations.
In his message, the attacker explains that his attack is actually mainly… random:
“I am the exploiter who extracted the funds. I started studying to become a blockchain developer. I decided that the best way to improve was to try to tackle the most complex contracts. Crosschain protocols are not easy to test locally, so I decided to test them on the main network. This led to your displeasure and my surprise.”
However, the latter remains aware of the difficulty for him to get rid of the funds:
“I want to cooperate. There is no way for me to launder this amount of money. Give me some ideas.”
Afterwards the latter explains that he is not a criminal and that the fault lies mainly with PolyNetwork for not having sufficiently secured their protocol:
“I didn’t commit a crime, because I just used the contracts. It’s your fault for not testing it enough.”
Finally, the attacker warns the protocol teams in the event that they don’t find common ground:
“If we don’t reach an agreement, I will send the funds to an unknown address or find something more fun.”
It now remains to monitor the addresses given by the protocol teams to see if the attacker does indeed return the funds. A case that comes at the worst time for Ethereum, where the euphoria of the deployment of the EIP 1559 will have been spoiled by this unprecedented attack.
