A hacker stole $613m from decentralised finance (DeFi) platform Poly Network before returning some $260m of the funds amid a turbulent week for the cryptocurrency industry.
Poly Network provides a peer-to-peer platform that allows users to transfer cryptocurrencies, such as bitcoin and Ethereum, across different blockchains. It uses smart contracts that dictate when to release the tokens to the people making the trade.
On 10 August the hacker or hackers exploited a flaw between contract calls that effectively meant they could declare themselves as the owner of any funds processed on the platform.
It meant there was nothing Poly Network could do as it watched hundreds of millions of dollars’ worth in cryptocurrencies siphoned into the attacker’s own digital wallets, in one of the largest ever thefts from a cryptocurrency platform.
In a public letter, Poly Network pleaded with the hacker to return the funds, drawing ridicule on social media for its tone.
“Dear hacker,” the note read. “The amount of money you hacked is the biggest one in the defi history (sic). Law enforcement in any country will regard this as a major economic crime and you will be pursued.”
It added: “You should talk to us to work out a solution.”
— Poly Network (@PolyNetwork2) August 10, 2021
The heist took an unexpected turn on Wednesday when the attacker returned $260m in tokens. In a self-conducted Q&A published on a smart contract, the hacker said they carried out the attack “for fun” and to point out security flaws in Poly Network’s code.
“I am not very interested in money! I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?” the hacker wrote.
A total of $269m in Ethereum tokens and $84m in Polygon tokens has yet to be recovered.
Update 24/08/21: Poly Network said the hacker has returned all the stolen cryptocurrency, barring $33m in stablecoin Tether that has been frozen by the company that manages it.
Andy Bryant, CEO and co-founder of DeFi company Vektor told Verdict that the attacker’s real motives may have been the fear of being caught.
“If a hacker pulls off an irreversible, technically uncensorable heist on the blockchain they can still often be tracked down and identified through other methods by law enforcement,” he said. “In which case, the technical features of the blockchain being irreversible and uncensorable are irrelevant.”
The Poly Network hack has increased calls for regulation of the cryptocurrency sector.
“While regulation and compliance can be perceived as a burden on traditional financial services, it’s these kinds of attacks that they are designed to prevent or minimise the damage from,” said Javvad Malik, security awareness advocate at cybersecurity company KnowBe4, adding that it “can be incredibly difficult to recover money once it’s been stolen”.
Regulators clamp down on cryptocurrency platforms
It comes amid a tough week for DeFi and cryptocurrency platforms.
On Tuesday cryptocurrency exchange Poloniex agreed to pay $10.4m to settle charges levied by the US Securities and Exchange Commission that it was operating without a license.
Then on Wednesday cryptocurrency exchange BitMEX agreed to pay $100m to settle US charges that it accepted customer funds to trade cryptocurrencies when it was not registered to do so for six years.
BitMEX also failed to implement anti-money laundering and know your customer processes, the US authorities said.
On Thursday, the UK’s Financial Conduct Authority (FCA) said it discovered 138 cryptoasset businesses that “appeared to be trading without having applied for registration” and has placed them on a public-facing register. It is the first year that the FCA has assessed the AML measures of cryptoasset businesses, which it said post “increased risk of financial crime”.
A report published this week by cryptocurrency intelligence company CipherTrace underscored the troubles plaguing the industry. It found that DeFi crime hit a record high in the first seven months of 2021, registering criminal losses of $474m – not including the funds stolen in the Poly Network hack.
However, there was some good news as overall losses in the cryptocurrency from theft dropped to $685m at the end of July compared to $1.9bn for the whole of 2020.
The news comes as regulators around the world are clamouring for stricter rules around cryptocurrencies, something that a recent GlobalData research report predicted there will be more of in the near future.
The spate of clampdowns follows Barclays banning customers transferring funds into cryptocurrency exchange Binance last month.
The newly appointed SEC chair last week said he wanted additional powers to clamp down on cryptocurrencies.
Bryant believes that the Poly Network hack will spur regulators to make DeFi more secure.
“DeFi will get safer over time as it becomes more mainstream, just like cars did,” he said. “Regulators are already increasingly looking at DeFi before this happened.”