Honour, Exploit, and Code: How we lost 610M dollar and got it back

The Poly Network attack on August 10 was probably the largest cyber security incident of its kind in history, with over $610 million in crypto assets stolen, and eventually returned within 15 days. The entire Blockchain industry and all the parties involved went through all the ups and downs along with Poly Network. Now that all the affected assets have been returned safely to users and the system has been largely restored to pre-incident levels, the story can finally be wrapped up.

We have received multiple queries regarding the incident in the past two weeks, and we would like to transparently review the whole incident from our perspective as a caution to ourselves and also to share the details of how the whole thing was handled. We may not have done a perfect job with this incident, but it certainly is a valuable experience that will guide us in the future.

What went down

Several security agencies have commented on the incident and provided their descriptions.

• The Analysis and Q&A Of Poly Network Being Hacked https://slowmist.medium.com/the-analysis-and-q-a-of-poly-network-being-hacked-8112a35beb39
• Kelvinfichter’s analysis of the cause of the attack https://twitter.com/kelvinfichter/status/1425290462076747777
• Slow Mist: The Analysis Of Poly Network Attack Causes https://slowmist.medium.com/the-root-cause-of-poly-network-being-hacked-ec2ee1b0c68f

The night of the incident was also the night we were under the most pressure. We tried to be as targeted and methodical as possible to address the core issues by: locking down assets, reducing community speculation, and establishing communication channels.

• Trying to establish communication with the attack address; https://etherscan.io/tx/0xf6488e1efacd9c280eb91133d04ba357beca8016df8b0b0524b9a2e207b2ad7f，https://twitter.com/PolyNetwork2/status/1425123153009803267
• Finding vulnerabilities, working out vulnerability patches, analyzing asset destinations and attack behavior; https://twitter.com/PolyNetwork2/status/1425130017546149891 https://twitter.com/SlowMist_Team/status/1425197809058254849
• Inventorying the affected assets, contact asset issuers to freeze assets and mitigate uncontrollable losses; https://twitter.com/PolyNetwork2/status/1425073987164381196
• Notifying all exchanges to keep watch over any withdrawal of funds;
• Call on pool miners to intercept transactions that attackers are trying to launder; https://twitter.com/PolyNetwork2/status/1425090228830842893
• Updating progress with users, communities and medias timely; https://twitter.com/PolyNetwork2/status/1425130017546149891

We achieved the following.

• Established encrypted communication channels with 0x8a addresses through the ETH network.
• Tether announced the freezing of over 33 million USDT affected assets; https://twitter.com/paoloardoino/status/1425090760609832978
• Binance, Okex, and Huobi issued announcements that they will follow the flow of funds from this event; https://twitter.com/cz_binance/status/1425091869709570060 https://twitter.com/JayHao8/status/1425094897976193034?s=20 https://twitter.com/DujunX/status/1425100770588954626
• Got in touch with USDC, BSC, Polygon, Heco, wBTC, MetaMask, and others.
• Continuous progress reports on the incident from the Poly Network Twitter to reduce user panic and avoid rumors. https://twitter.com/PolyNetwork2/status/1425309429935710208

Decentralization has a long way to go

On August 11, the attacker announced that they were “ready to return the assets”. The deployment of Poly Network’s collection address was then completed, and on August 11, 8:43:57 AM +UTC Poly Network started to recover the assets that were returned first. By August 13, the system had recovered enough assets to restore partial functionality, and after confirming with Mr. White Hat entered a recovery and rebuilding phase with the same two core objectives: facilitating asset recovery, and rapid system restoration.

• Confirming the collection process with Mr. White Hat; https://etherscan.io/tx/0x910b00b2b60b76d7c29a1855f9a1ebf204356eed22498334ddd46e46d96e06c2
• Committing to users regarding full asset recovery as the primary goal; https://twitter.com/PolyNetwork2/status/1425785007486820368
• Fixing vulnerabilities and ensuring system security; https://github.com/polynetwork/eth-contracts/pull/12/files
• Confirming system reboot plan and preparing a roadmap; https://medium.com/poly-network/poly-network-roadmap-for-the-next-phase-9f84c03c2e53?source=social.tw&_branch_match _id=549963884981436182
• Set up application channels for projects to apply for asset recovery; https://twitter.com/PolyNetwork2/status/1427233445185409026
• Discussing the handling of frozen USDT with Tether.
• Maintaining communication with the community; https://twitter.com/PolyNetwork2/status/1425739339820982275

We achieved the following results.

• Recovered BSC, Polygon assets; https://twitter.com/PolyNetwork2/status/1425309429935710208
• Established a multisig wallet account; https://etherscan.io/tx/0xf391ec8d5935d4ec11efb2c8b99ba3586cb0b0f05c5e0b9c44c74a1c40386bd7
• Completed system vulnerability fixes and announced a new security solution; https://twitter.com/PolyNetwork2/status/1426819500263890946
• Announced system reboot roadmap; https://twitter.om/PolyNetwork2/status/1426490057276280832
• Confirmed list of restorable functions and provided support for function restoration; https://twitter.com/PolyNetwork2/status/1427839007501680640

Mr. White Hat also elaborated his reasons for the attack. We have documented their statements including their process, and sincere advice to everyone in the blockchain ecosystem here in full: https://docs.google.com/spreadsheets/d/14hMTpPNylZG6DizU3K-fpDbfYZxenI_KtbHpWkdc7VM/edit#gid=0

During this period, the Poly Network team was also at the receiving end of an unprecedented volume of comments and debates as a result of the controversy. Mr. White Hat raised his biggest concern — the degree of decentralization on Poly Network.

QUICK Q & A, PART (INCREDIBLE) SEVEN:

A: I AM FAIRLY CONFIDENT OF THEIR DESIRE AND CAPABILITY TO RECOVER AND SECURE THE PROJECT WHICH HAS BEEN DESIGNED AS A ROBUST SYSTEM. MY ONLY CONCERN IS THAT THE POLY CHAIN, THE CORE PART OF THE WHOLE NETWORK, IS _NOT VERY DECENTRALIZED_, AND THAT IS NOT SOMETHING I CAN CONTRIBUTE TO. MAYBE I AM _WRONG_. https://etherscan.io/tx/0x1f3ff47b612f2c92a8bda39ba310c38b22a32dca94a38d7073abbc9bb53c1dbc

We would like to reiterate that Poly Network has been making progress down the road of decentralization. We certainly believe that it is a very important part of a good protocol. Anyone interested can keep up with changes here https://github.com/polynetwork/Zion.We hope to ensure the decentralized management of the whole network through a comprehensive economic model and governance mechanism in the future. Since cross-chain protocols are different from single-chain projects, and in order to achieve interoperability between chains with different characteristics, ensuring complete security is a more complicated process than it would be on a single chain. How to establish effective governance is also an important question, and achieving consistency in a diverse world requires a stronger consensus among all the parties involved.

Security is everything

Security should never be a quick fix. And in terms of cybersecurity, this incident has coalesced the most direct and profound sense of involvement across the industry. https://twitter.com/PolyNetwork2/status/1426197361177493511

On August 15, after confirming and announcing the recovery plan, the team started to work towards the objectives laid out in the roadmap, including launching a security bounty program totaling $500,000 on Immunefi’s platform, hoping to attract global security agencies and white hat organizations to help Poly Network with security, which of course was just the first step of security. During the system recovery period we also:

• Offered Mr. White Hat to become Poly Network’s chief security consultant and provide 160 ETH as security bounty. https://twitter.com/PolyNetwork2/status/1427574236483231749
• Confirmed the fix and reboot plan with PeckShield, BlockSecTeam, Beosin (Chengdu LianAn Tech) and other security agencies
• PeckShield: https://peckshield.medium.com/polynetwork-bug-review-and-patch-analysis-88bde8441297
• BlockSecTeam: https://blocksecteam.medium.com/the-informal-security-review-of-the-patch-of-the-poly-network-1a0a532b731e
• Beosin (Chengdu LianAn Tech): https://beosin.medium.com/boesins-analysis-of-the-fix-code-on-poly-network-smart-contracts-a305639ea626
• https://medium.com/poly-network/latest-updates-aug-20-a12447c6d899
• https://medium.com/poly-network/latest-updates-aug-19-ed7ab8e5c2f0
• https://medium.com/poly-network/latest-updates-aug-17-241398d64a40

We would also like to quote some blockchain security advice put forward by Mr. White Hat, which we think is pertinent and objective at a certain level.

Guys, ask yourself, is the poly team the owner of the assets? They are just the manager of the fund! Will you teach them how to trigger their “backdoor”? In the defi world, you can trust nobody but the code and yourself.

To the “victims”: I don’t mean the poly team is not trustworthy, but none of you have the chance to challenge their code which should be the law. don’t worry. you are not real victims, Don’t worry, you are not real victims. I saved you! https://etherscan.io/tx/0x078063e9574e1937a64b6552919b9fc0035429df1e601d79e200bf211e75f337

Q: ANYTHING ABOUT THE DEFI/BLOCKCHAIN SECURITY?

The SECURITY IS A TOUGH JOB, NO MATTER IF IT’S IN CLASSIC OR CRYPTO WORLD. IN MOST CASES, WE SECURITY EXPERTS ARE ONLY SUMMONED AS THE MEDICAL EXAMINERS AFTER THE INCIDENTS. What we do is just WRITING POSTMORTEMS, SOMETIMES TRACING THE BAD GUYS. IT’S ALMOST THE SAME IN THE CRYPTO WORLD, EXCEPT THAT SOME PROJECT ARE NOT VERY URGENT GETTING THE MONEY BACK SINCE IT’S NOT THEIR MONEY, THEY WOULD JUST TELL THE REAL VICTIMS THAT “SORRY WE TRIED BUT NEVER GURANTEED THE EXTREME SECURITY”. https://etherscan.io/tx/0x42446ccc66bb48eac7bd905ae7d79708f303849802b280eb4d65770c1bfc0997

We believe that the security of the protocol is definitely a crucial aspect, but we also believe that in the crypto world, there’s something bigger and more profound that exists above the code. Maybe we have different values and knowledge base, but we can still participate in the process of building and fairly governing our world.

All your tokens have returned to you

All stories have an ending, and we are glad that this one has a happy ending.

• On August 19, Mr. White Hat returned 96,942,063 DAI on Ethereum.
• On August 22, all but wBTC and ETH assets were returned, and Poly Network began the asset inventory and recovery of the stablecoin to assist in the restoration of O3 Hub functionality.
• The conversion between 96,942,063 DAI and USDC returned by Mr. White Hat was completed on August 23, along with the conversion of 87,557,051 BUSD on BSC to USDC (BEP-20). For slippage losses and fees incurred in trading, Poly Network team compensates with its own funds. https://etherscan.io/tx/0x814e6a21c8eb34b62a05c1d0b14ee932873c62ef3c8575dc49bcf12004714eda , https://medium.com/poly-network/latest-updates-aug-23-7f6cca47b574
• On August 23rd Mr. White Hat published the private key of the multi-signature wallet. https://twitter.com/PolyNetwork2/status/1429738587046563841
• On August 25, all WBTC and ETH assets affected by this attack were restored. https://twitter.com/PolyNetwork2/status/1430485302527741954
• On the same day, Tether releases all 33,431,200 USDT assets previously frozen to Poly Network’s multi-signature wallets that received the assets. https://twitter.com/Tether_to/status/1430510652582416387
• On August 26, Poly Network completed the recovery of USDT assets. At this point, all assets affected by the attack have been restored. https://medium.com/poly-network/poly-network-asset-recovery-complete-a7ba33c2f2e4

Thank you all for standing with us.

This story has come to an end, but for us it is the beginning of our next journey. Before we start this new journey, we would like to express our sincere gratitude and deepest apologies to all the projects and users on Poly Network. We are sorry for the trouble caused to all users due to system bugs. Thank you for your trust in the project. Even though we may lose some confidence on the part of some people who once believed in us, we will, through our actions in the coming future, rebuild your confidence in the project. At the same time, we will express our thanks to everyone who has used Poly Network, supported us, and experienced this incident with us in our own way. We will announce details via the official channel after the system has been fully restored.

Finally, we would like to state that project security will always be the central theme of Poly Network and the entire industry. We hope that the Poly Network incident will not only help us build a more robust project, but also act as a deep and lasting alert to the whole industry. For us, this experience is a memory we will never forget. It represents not only the security of a protocol, but also a fresh understanding of trust, power, desire, responsibility, and faith.

For more information on Poly Network, please refer to the links below

Website | Telegram | Medium | Twitter | Discord | Github| Forum