Poly Chain Hack Postmortem

in crypto •  last year 

Poly Chain Hack Postmortem

On July 2nd, 2023 06:47:20 PM UTC Poly Network suffered what was initially reported to be a notional $34b hack (the actual realized amounts were far less, due to most of the tokens being illiquid). The Poly team paused their smart contracts EthCrossChainManager on several chains, most notably on Metis, BSC and Ethereum. After our team reconstructed the attack, we concluded that the root cause was not a logical bug on the smart contract, but, most likely, stolen (or misused) private keys of 3 out of 4 of Poly network's keepers (off-chain systems controlled by the team). In order to understand how the attack took place, we need to understand the architecture of Poly's cross-chain managers.

Read the article for the full grimy details.

Finally, it took Poly network 7 hours to react to today's attack, and in the meantime the attacker had orchestrated several transactions on multiple chains to exploit this.

If indeed the Poly network developers confirm the attack has to do with compromised signature keys, as is likely the case, this brings to question the suitability of centralized bridges controlling so much funds.

and... here's the sales pitch:

The attack also suggests less-than-perfect monitoring by the Poly network team of the underlying bridge. Had the protocol been set up with a fast monitoring solution, such as Dedaub Watchdog, this would have significantly reduced the reaction time and possibly saved some funds.

You can also follow the story here:

And follow the money here:

And, this made me smirk...

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE BLURT!
Sort Order:  
  ·  last year  ·  
  ·  last year  ·  

the dead are moving...

  ·  last year  ·  

inside jobs


whole thread interesting

  ·  last year  ·  

This didn't age well


with the paint still wet.

  ·  last year  ·  

shillin times.

cascading multisig would mean knowing who is awake.

  ·  last year  ·  

This is fun, from the same people at Dedaub:
I See Dead Code
What if I told you that over one-third of recently-deployed Ethereum smart contracts consist mostly of unusable junk?

One issue here, will be cases where the junk may still be exploited - where the dead are resurrected.

  ·  last year  ·  

zombie contracts!

I see dead pools.