CertiK: Analysis of the Poly Network Million Dollar Loss Attack Event

Author: CertiK

On July 1, 2023, an attacker exploited a vulnerability in the Poly Network, minting assets worth $42 billion across multiple chains. Despite the large amount of assets issued, the attacker was unable to retrieve more than $10 million from five external account addresses due to low liquidity and the freezing of some project tokens.

This is the first cross-chain bridge attack incident of the year and the second attack targeting the Poly Network. The total loss from last year's attack incidents reached $3.7 billion, with cross-chain bridge attack losses accounting for 35%. Although this incident appears to be the largest vulnerability attack in history in terms of the amount involved, the actual profit for the hacker is much lower.

Incident Summary

At 14:47 Beijing time on July 1, 2023, a malicious actor initiated several cross-chain bridge transactions to transfer assets from Poly Network's Lock Proxy contract to the attacker's address. On paper, the attacker profited from assets worth over $42 billion from 10 chains.

Image: Poly Network attacker's wallet address. Source: Debank

However, this figure is misleading. For example, the attacker held over $34 billion worth of Poly-pegged BNB and BUSD on the Metis blockchain, but these tokens could not be sold due to a lack of liquidity. Later, Metis also confirmed in a tweet that the newly minted BNB and BUSD had no available liquidity, rendering them worthless.

Similarly, a large number of remaining tokens also became worthless. After hearing about the incident and the tokens issued by the attacker, several projects promptly took action to remove liquidity to prevent token dumping and price collapse. For instance, OpenOcean, StackOS, Revomon, and NEST all canceled their project's liquidity to prevent the attacker from selling.

Revomon Twitter

Although the $42 billion figure does not accurately reflect the losses caused by this incident, CertiK has confirmed that at least $10 million worth of assets were stored in five Ethereum wallets.

Cross-Chain Bridge Vulnerabilities

In 2022, security incidents affecting cross-chain bridges resulted in economic losses of $1.3 billion, and these losses were caused by only five incidents, highlighting the destructive power of cross-chain bridge security vulnerabilities. Protecting cross-chain bridges is challenging, and given their significant value and various exploitable attack vectors, these infrastructures are often prime targets for malicious actors. Cross-chain bridges consist of various components such as custodians, issuers, and oracles. Due to the large amount of funds locked in the bridge, any misconfiguration, vulnerability, or malicious exploitation can lead to significant losses.

Attack Process

Poly Network uses "lock" and "unlock" functions to bridge assets between different networks. Users must first "lock" tokens on the source chain before they can "unlock" them on the target chain.

The following example is based on a cross-chain transfer from BSC to ETH.

① The attacker first calls the Lock function on the BSC network to initiate a cross-chain transfer of a small amount of 8PAY tokens.

Image: The attacker initiates a cross-chain transfer using a small amount of 8PAY tokens. Source: Etherscan

In this transaction, the data is specified as "0x4a14feea0bdd3d07eb6fe305938878c0cadbfa16904214e0afadad1d93704761c8550f21a53de3468ba599e80300000000000000000000000000," where the first four bytes "0x4a" represent the data length.

② The attacker calls the EthCrossChainManager.verifyHeaderAndExecuteTx() function, triggering the corresponding UnlockEvent "unlock" function. We can see from the first four bytes indicating the data length that the current transaction data has changed.

"0x14feea0bdd3d07eb6fe305938878c0cadbfa16904214e0afadad1d93704761c8550f21a53de3468ba59900e00fc80b54905e35ca0d000000000000000000000000000000000000000000"

In this transaction, the number of 8PAY tokens significantly increased.

③ The attacker repeated this process as described above, involving 57 different tokens distributed across 11 different blockchains. The attacker profited approximately $42 billion worth of assets (based on paper value).

Image: Tokens unlocked by the Poly Network attacker on Ethereum. Source: Etherscan

Asset Tracking

On the Ethereum network, the attacker successfully converted some tokens into ETH. The process is as follows:

During the attack, the attacker also transferred 1,592 ETH (approximately $3.05 million) in a transaction and sent 2,240 ETH to three different EOA external accounts. Additionally, the attacker obtained approximately 3.01 million USDC and 2.65 million USDT, which were exchanged for 1,557 and 1,371 ETH, respectively.

The attacker transferred the remaining token assets to new EOA addresses, sending 1 ETH to each address (although they have not yet cashed out these tokens). Due to project owners removing liquidity from the tokens to prevent sell-offs, some tokens became worthless. As of now, the attacker seems to have only been able to obtain about $10 million from this incident.

Image: Poly Network attacker transferring assets and 1 ETH to new EOA addresses

In Conclusion

In 2022, the Web 3.0 ecosystem experienced the devastating impact of cross-chain bridge attacks, with projects like Ronin Bridge, Wormhole, and Nomad suffering from security incidents. Initial detection results from the Poly Network incident indicated that this was the largest security incident the Web ecosystem had encountered to date, but due to the lack of liquidity support for newly minted tokens, the losses have been controlled to about $10 million at the time of writing. There is currently no exact consensus on how the attacker exploited the Poly Network. However, preliminary indications suggest that, since on-chain functions were operating normally, it is likely due to a private key leak or an off-chain vulnerability.