Attacker pockets $10 million from Poly Network security attack: Beosin

Quick Take

  • Poly Network suffered a security attack on Sunday, allowing an attacker to pocket $10 million worth of ether.
  • The attacker illicitly minted varying amounts of 57 tokens across 10 blockchains, including Ethereum, BNB Chain and Metis.

An unknown attacker managed to swap out over $10 million worth of ether in gains following a security attack on Poly Network this Sunday, according to latest data aggregated by security firm Beosin.

Poly Network is a cross-chain bridge that facilitates asset transfers across different blockchains. The incident allowed the perpetrator to mint varying amounts of 57 tokens across blockchains, the Poly Network team noted. These included Ethereum, BNB Chain, Metis and Polygon.

Following the exploit, the attacker’s crypto wallet displayed an on-paper value exceeding $34 billion, Beosin noted. However, this value did not translate into actual gains for the attacker due to a pronounced lack of liquidity in the affected chains.

Only a small portion of the artificially minted tokens was exchanged for ether (ETH) on the Ethereum and Binance Smart Chain networks, totaling approximately 5,196 ETH, or $10.1 million, noted Beosin. 

Security analysts at Beosin and Dedaub suggested that the attack on Poly Network may have stemmed from a compromise or theft of private keys used in the platform’s main smart contract, rather than from a specific vulnerability within the contract’s logic. They alleged that the private keys for three out of the four admin wallets, which power the project’s main smart contract, were compromised. The Poly Network team has not yet responded to this claim.

This incident marks the second major security hack for Poly Network. In 2021, someone stole $611 million worth of assets from the project, only to later return them in what was considered one of the largest crypto heists to date.

Poly Network's response

Following the incident, Poly Network announced a suspension of its services and said it was actively working with centralized exchanges and law enforcement agencies to identify the perpetrator and recover the funds. Centralized exchanges are particularly significant in this context, as they possess the ability to track suspicious activities and halt transactions associated with the illicitly minted tokens. 

The Poly Network team recommended that the affected projects withdraw liquidity from decentralized exchanges (DEX) and urged users holding the impacted assets to unlock them and claim back their liquidity pool (LP) tokens tied to those assets. The team also appealed to the attacker to return the user assets in order to “avoid any potential legal consequences.”

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.