Unveiling Vulnerabilities in Cross-Chain Bridges: Lessons from the Poly Network Exploit

Poly Network, a leading cross-chain bridge platform, recently fell victim to another exploit, exposing vulnerabilities within the protocol.

The attack allowed hackers to issue billions of fraudulent tokens, leading to a temporary suspension of services. However, limited liquidity and security measures hindered the hackers’ attempts to profit from their ill-gotten gains.

Dear users, we would like to inform you that Poly Network is temporarily suspending its services due to a recent attack. We are actively engaging with relevant parties and diligently assessing the extent of the affected assets. 【1/3】
— Poly Network (@PolyNetwork2) July 2, 2023

Via @PolyNetwork2 – Twitter

Details of the Exploit

The attack on Poly Network exploited compromised private keys, as confirmed by blockchain security firm Dedaub.

Getting to the bottom of the "34 billion" Poly network hack with a technical postmortem.

TL ; DR

Poly network had a simple 3 of 4 multisig arrangement over 2 years!

Looking at the final event we found that the private keys to the addresses marked were compromised. pic.twitter.com/Y0eMJXcYso
— Dedaub (@dedaub) July 2, 2023

Via @dedaub – Twitter

By manipulating a smart contract function, the hackers generated tokens across multiple blockchains, affecting 57 crypto assets on ten blockchains. Although the amount stolen remains undisclosed, the transfer of at least $5 million worth of crypto occurred.

#PeckShieldAlert @PolyNetwork2 exploiter has transferred more than $5M worth of cryptos out on #Ethereum, #BNBChain, and #Polygon, especially 1.5K $ETH ($2.88M) to 0x23f4…c671, 440 $ETH ($844K) to 0xc8Ab…C42F, and 300 $ETH (~$575K) to 0xfD3E…b778https://t.co/EbYdTo3xIg… pic.twitter.com/I5Lg9UJ0eU
— PeckShieldAlert (@PeckShieldAlert) July 2, 2023

Via @PeckShieldAlert – Twitter

The hacker evaded verification by manipulating a parameter, allowing the issuance of tokens from Poly Network’s Ethereum pool to their own address on different chains. The hacker accumulated a massive token stash, reaching an extraordinary value of around $42 billion. However, the hacker could only convert and steal a fraction of the total value due to limited liquidity in many tokens.

The hacker faced significant challenges monetizing their stolen tokens due to low liquidity, particularly in assets like BNB and BUSD on the Metis blockchain. Additionally, the developers locked the illicitly-issued METIS tokens on the Poly Network bridge, rendering them inaccessible.

We are aware of Polybridge’s ongoing situation, and are currently in contact with the PolyNetwork team to minimize the impact of the attack and further asses the situation.

In regards to the newly minted BNB and BUSD on Metis, there is no sell liquidity available.

All funds on…
— Metis🌿 (@MetisL2) July 2, 2023

Via @MetisDAO – Twitter

While the hacker converted some tokens into ether (ETH), the overall financial impact remained limited.

Poly Network’s Response and Lessons Learned

Poly Network’s response to the exploit drew criticism for its delayed seven-hour reaction time, resulting in an estimated loss of $5.5 million in stolen crypto. However, the lack of liquidity in many tokens played a role in mitigating further losses.

This incident underscores the importance of timely responses and continuous enhancements to protocol security. It serves as a valuable lesson for Poly Network and the wider crypto industry to improve response procedures, strengthen security measures, and prioritize liquidity management to mitigate the impact of future exploits.

Broader Implications for the Crypto Industry

The Poly Network exploit exposes vulnerabilities present in cross-chain bridge protocols. These bridges’ centralized nature and dependence on keepers controlled by the development team raise concerns regarding fund security.

The incident also highlights the need for effective monitoring solutions, such as Dedaub Watchdog, to minimize response time and protect against potential breaches.

The Poly Network exploit is a cautionary tale, exposing vulnerabilities within cross-chain bridge protocols. Although the hackers managed to issue billions of tokens, their profit-making ability was limited due to low liquidity and security measures.

Disclaimer: BlockNews provides independent reporting on crypto, blockchain, and digital finance. All content is for informational purposes only and does not constitute financial advice. Readers should do their own research before making investment decisions. Some articles may use AI tools to assist in drafting, but every piece is reviewed and edited by our editorial team of experienced crypto writers and analysts before publication.