A brazen robbery by crypto hackers cost users of a DeFi platform a collective $610 million, but only for a little while. Claiming that it was just a demonstration of a vulnerability, the hackers have since returned all but $33 million in assets.
It remains unclear if this was the intention from the beginning, or if the crypto hackers were scared into reversing course by pledges to hunt them down coming from across the cryptocurrency community.
Crypto hackers make off with $610 million, then return most of it with claims of “security research”
The initial theft put the brazen DeFi platform heist up with the biggest cryptocurrency breaches in history (2018’s CoinCheck and 2014’s Mt. Gox). When the dust settles, however, there may well not end up being any actual stolen funds.
The story starts with DeFi platform Poly Network being breached on August 10. The crypto hackers quickly exfiltrated a variety of assets worth about $610 million in total. This included hundreds of millions in Binance Smart Chain, Ethereum and USDC tokens. However, less than a day later the attackers had already begun returning the funds; $260 million to start, and then all but $33 million of it by August 13.
The crypto hackers hosted a Q-and-A session about the breach on a blockchain account that began on August 11, claiming that they were just demonstrating a vulnerability and had always planned to return the funds. However, a quick and vocal response by the cryptocurrency community swearing a variety of colorful oaths of revenge may well have contributed to that decision. Stealing cryptocurrency is one thing, but due to the transparent record of transactions cashing it out without revealing information about yourself is much more difficult. Poly Network also blacklisted a good deal of the stolen tokens, essentially putting a freeze on them that hampers transactions.
Breach highlights DeFi platform safety issues
Most DeFi (decentralized finance) platforms run on the Ethereum blockchain and provide something of a replica of traditional financial institutions (such as banks and exchanges). In addition to a familiar user interface these services often provide approximations of common bank services: virtual interest-bearing “savings accounts” for cryptocurrencies, the ability to trade with or lend to other platform users, purchase insurance and speculate against price movements, for just a few examples.
It appears that the crypto hackers targeted the signatures that are roughly analogous to account passwords on DeFi platforms. This particular exploit was specific to the Poly Network’s individual cryptography. The crypto hackers seem to have figured out how to replicate valid signatures on the network, allowing them to authorize transactions from other people’s accounts.
Cryptocurrency is often thought of as highly secure, but DeFi platforms represent an experimental weak point in the chain that has a small but persistent history of lapses that lead to theft. A network is only as strong as its protocol, which could contain exploitable programming flaws or could develop bugs. In this case, Poly Network said that the crypto hackers exploited a function used in contract calls to link transactions from independent blockchains.
Hank Schless, Senior Manager of Security Solutions at Lookout, points out that DeFi platforms are also ripe for social engineering and phishing attacks as well: “Since cryptocurrency and blockchain are still relatively new technologies, they present an opportunity for threat actors to socially engineer targets. Crypto investors are constantly looking for an edge in the market or what the next big currency that’s going to explode in value. Attackers can use this thirst for information against users in order to get them to download malicious apps or share login credentials for legitimate trading platforms they use. The attacker could then use the malicious app to exfiltrate additional data from the device it’s on or take the login credentials they’ve stolen and try them across any number of cloud apps used for both work and personal life. In order to increase the likelihood of success, attackers target users across both mobile devices and cloud platforms. For example, Lookout recently discovered almost 200 malicious cryptocurrency apps on the Google Play Store. Most of these apps advertised themselves as mining services in order to entice users to download them.”
DeFi platforms are also truly a “wild west” area of finance, completely unregulated and largely untouched by world governments. Anyone can create one, and there is often no real way to verify whether or not they (or their code) is trustworthy. And while the sort of blacklisting Poly Network did in response to the attack is respected by a great deal of the cryptocurrency community, it is not a guarantee against ability to cash out as it requires voluntary adoption by each potentially involved party.
John Callahan, CTO of Veridium, points out that even a user doing everything right in terms of security hygiene could still end up victimized: “Based on what I have read, this was an attack on the Poly Network exchange administrative credentials not on individual user accounts directly. It underscores the risks associated with centralized cryptocurrency exchanges: any successful attack on the exchange results in losses for ALL users. It strengthens, in my opinion, the position of exchanges that support wallets that hold user-owned keys (aka non-custodial wallets). This allows users to hold their own private keys and supports interoperable transactions brokered by any exchange.”
Expect increase in DeFi platform fraud
Incidents such as this have caused finance experts, even those that consider themselves cryptocurrency evangelists, to give basically the same advice that one gives about vacations to Las Vegas: only put as much money into DeFi platforms as you can afford to have disappear in a day. While DeFi platforms that have been around for years and can demonstrate regular outside auditing and security testing are more safe, none are absolutely safe as it is always possible for previously unknown vulnerabilities to develop.
DeFi platforms users should also not expect the relatively happy ending that played out here. At the moment, it looks as if nearly all of the $610 million will be returned to its rightful owners; the only item still in question is $33 million in Tether coin that remains frozen by the issuer at this time. Security firm SlowMist, which is based in China along with Poly Network, said that it is tracking the crypto hackers and has their email and IP address along with device fingerprints. However, even a positive identification may not matter much depending on where the crypto hackers turn out to be located.
DeFi platform fraud in general is sharply on the rise, accounting for 54% of all crypto fraud in the past year as compared to 3% in the previous year. Prior to the Poly Network breach, about $361 million in theft has been attributed to DeFi breaches in 2021 (an increase of about 3x from 2020).