On July 1, 2023, an attacker exploited a vulnerability in Poly Network and minted assets worth $42 billion across multiple chains. Despite the large number of assets issued, the attacker was unable to retrieve more than $10 million from 5 external account addresses due to low liquidity and the freezing of certain project tokens.
This is the first cross-chain bridge attack of the year and the second attack against Poly Network. The total loss from last year's attack amounted to $3.7 billion, with cross-chain bridge attacks accounting for 35% of the losses. While this event may seem like the largest vulnerability attack in history in terms of the amount involved, the hacker's actual gains are much lower.
Event Summary
On July 1, 2023 at 14:47 Beijing time, a malicious actor transferred assets from Poly Network's Lock Proxy contract to the attacker's address by initiating several cross-chain bridge transactions. On paper, the attacker profited over $42 billion worth of assets from 10 chains.
Image: Attacker wallet address of Poly Network. Source: Debank
But in fact, this number is misleading. For example, the attacker holds over 34 billion US dollars of Poly-pegged BNB and BUSD on the Metis blockchain, but these tokens cannot be sold due to lack of liquidity. Later, Metis also confirmed in a tweet that those newly minted BNB and BUSD have no available liquidity and are therefore worthless.
Similarly, a large amount of remaining tokens has become worthless. Upon learning about this incident and the tokens issued by the attacker, several projects promptly took action to remove liquidity to prevent token dumping and price collapse. For example, OpenOcean, StackOS, Revomon, and Nest Protocol all canceled the liquidity of their projects to prevent the attacker from selling.
Revomon Twitter
Although the $42 billion figure does not accurately reflect the losses caused by this incident, CertiK has confirmed that at least $10 million in assets were stored in 5 Ethereum wallets.
Cross-Chain Bridge Vulnerability
In 2022, security incidents that affected cross-chain bridges resulted in $1.3 billion in economic losses, and this $1.3 billion was only caused by five incidents. Therefore, the destructive power of cross-chain bridge security vulnerabilities is evident. Protecting cross-chain bridges is difficult, and coupled with their high value and various exploitable attack vectors, these infrastructures are often the prime targets for malicious actors. Cross-chain bridges consist of multiple components such as custodians, issuers, and oracles. Due to the large amount of funds locked on the bridge, any misconfiguration, vulnerability, or malicious exploit can result in significant losses.
Attack Process
Poly Network bridges assets between different networks using "Lock" and "Unlock" functions. Users must first "lock" tokens on the source chain before they can be "unlocked" on the target chain.
The following example is based on a cross-chain transfer from BSC to ETH.
① The attacker first calls the Lock function on the BSC network to initiate a cross-chain transfer of a small amount of 8 PAY tokens.
Image: The attacker initiates cross-chain transfer using a small amount of 8 PAY tokens. Source: Etherscan
In this transaction, the data is specified as " 0 x 4 a 14 feea 0 bdd 3 d 07 eb 6 fe 305938878 c 0 cadbfa 16904214 e 0 afadad 1 d 93704761 c 8550 f 21 a 53 de 3468 ba 599 e 80300000000000000000000000000 " beginning with " 0 x 4 a", where the four bytes represent the data length.
②The attacker calls the EthCrossChainManager.verifyHeaderAndExecuteTx() function.
The corresponding UnlockEvent function is triggered. We can see from the four bytes indicating the data length at the beginning that the transaction data has been changed.
"0x14feea0bdd3d07eb6fe305938878c0cadbfa16904214e0afadad1d93704761c8550f21a53de3468ba59900e00fc80b54905e35ca0d000000000000000000000000000000000000000000"
In this transaction, the number of 8 pay tokens significantly increased.
③The attacker repeated this process as described above.
There were 57 types of tokens involved, distributed across 11 different blockchains. The attacker profited approximately $42 billion in assets (according to book value).
Image: Tokens unlocked by the Poly Network attacker on Ethereum. Source: Etherscan
Asset Tracking
In the Ethereum network, the attacker successfully converted some tokens to ETH. The process is as follows:
During the attack, the attacker also transferred 1592 ETH (approximately $3.05 million) through a transaction, and transferred 2240 ETH to 3 external EOA accounts. In addition, the attacker obtained about 3.01 million USDC and 2.65 million USDT, which were exchanged for 1557 ETH and 1371 ETH respectively.
The attacker transferred the remaining token assets to a new EOA address and transferred 1 ETH to each address (although they have not yet cashed out these tokens). Due to the project owner's removal of liquidity from the tokens to prevent dumping, some tokens have become worthless. So far, the attacker seems to have only gained about $10 million from this incident.
Image: The Poly Network attacker transferred assets and 1 ETH to a new EOA address
Closing Thoughts
In 2022, the Web 3.0 ecosystem experienced devastating impacts from cross-chain bridge attacks, affecting projects like Ronin Bridge, Wormhole, and Nomad. The initial detection results of the Poly Network incident indicate that it is the largest security event to date in the Web ecosystem. However, due to the lack of liquidity support for newly minted tokens, the losses have been controlled at approximately $10 million at the time of writing this article. Currently, there is no exact consensus on how the attacker exploited Poly Network. However, preliminary evidence suggests that it may have been due to private key leakage or off-chain vulnerabilities.
