Poly Network Exploiter Starts Returning the Funds, Gives Back USD 1M

By Sead Fadilpašić

The hacker of the decentralized finance (DeFi) interoperability protocol Poly Network, that just lost over USD 600m, first asked the protocol for a multi-signature (multisig) wallet to return the funds - and has started returning it.

So far, the hacker returned USD 1.007m, per Polygonscan data. That is a start, but still a long way to go.

After seemingly having some fun with messages asking if a community vote should decide on where the stolen funds should go, the attacker wrote READY TO RETURN THE FUND! - as it stands in the comment attached to a transaction executed by the address marked as PolyNetwork Exploiter. Its not clear, however, if the hacker was planning on returning all the stolen funds.

But then this confusing soup of a situation thickened.

Poly Network had already posted a letter to the hacker threatening them with law enforcement and stating that the money they took in the biggest [hack] in the [Defi] history belongs to the people.

And despite apparently wanting to return the funds hours later, in another transaction, the hacker said: FAILED TO CONTACT THE POLY. I NEED A SECURED MULTISIG WALLET FROM YOU.

Hacker: ITS ALREADY A LEGEND TO WIN SO MUCH FORTUNE. IT WILL BE AN ETERNAL LEGEND TO SAVE THE WORLD. I MADE THE DECISION, NO MORE DAO

0xd239b01026c49b234d075e3d23a07efd1c3234239cfb440c0f90d5e84836fbe2

— harry.eth (@sniko_) August 11, 2021

Later today, the protocol shared the addresses to which the funds can be returned.

As reported, Poly Network suffered a massive exploit yesterday, seeing the attacker taking off with more than USD 600m. The attack happened on Binance Smart Chain (BSC), Ethereum (ETH), and Polygon (MATIC).

The address on Etherscan, marked as reported to be involved in a PolyNetwork exploit, contains USD 183m worth of ERC-20 tokens at the time of writing. Polygonscan shows more than USD 85m, and the BscScan address has around USD 133m.

It is still not clear what exactly happened behind this hack. There are even opinions that it was inside job, though many disagree.

The blockchain security specialist Xiamen SlowMist Technology wrote that the core of this attack is that the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute specific cross-chain transactions through the _executeCrossChainTx function. The attacker replaced the address of the keeper role, constructed a transaction at will, and was able to withdraw any amount of funds from the contract.

Similarly, researcher Kelvin Fichter opined that there is a critical flow in Poly Network contract called the EthCrossChainManager.

just setting up my twttr

— jack⚡️ (@jack)

An engineer who goes by the name El Doggo Diablo stressed that the crypto space suffers from an extreme lack of software security processes.

Meanwhile, there are reports that quite a few individuals and funds in China, where this and related projects are said to be popular, have been affected by the hack. Investor Michael Gu (a.k.a. Boxmining) claimed to have been a victim himself, stating that there is nothing he can do about it now.

Send me money

Nearly immediately post-attack, there appeared quite a few of those who were sending messages and/or congratulating the hacker, in hopes that theyd get a tip.

Such comments on Etherscan seem to have been marked as spam. Some still remain though. For instance, Omaz Z Khan said: Dude, just get all the cryptopunks that you can. SPARE me some eth or just one punk :) Il be indebted.

Pls airdrop some fund to us, we are suffering year long due to COVID, thanks in advance, said meow chia. User chanlaka wrote a longer post, stating that they lost their parents and are only left with their ill younger sister for whom they need to pay the hospital bills.

SumYungGuy shared a larger post on, basically, how to get away with the money.

bro just airdrop to all help all people!, simply wrote justin wong who took a more egalitarian approach to the situation.

It even seems that many people have decided to send the attacker bits of their ETH or other currency with messages, apparently hoping to get a lot more in return. i sent you a tiny bit of matic maybe itll get your attention :/ please change my life, commented TheBluntsLit, who has written quite a few praises.

And the person who was reported to have received an ETH 13.37 (USD 42,930) tip, seems to have had some fun as well.

All txs are some permutation of 1337. Used 133.713371337 Gwei for Gas.

Uses MrGorbachevTearDownThatWall.txt as the message.

Yeah, hanashiro definitely some 4chan turbo degen just entertaining us.

— Hsaka (@HsakaTrades) August 10, 2021