PolyNetwork is still trying to recover from the attack on July 2, where hackers stole about $5.5 million, even though the notional value of the episode is reportedly $34 billion. The Poly developers have halted all smart contracts to resolve the breach.
Following the incident, several blockchain security firms, including SlowMist, Binance Labs, Dedaub, and Peckshield, offered to assist with investigations.
Dedaub published a technical assessment of the hack a few hours after that shows PolyNetwork secured its wallets with a simple three-of-four multisig arrangement over two years – which is incredibly risky.
In blockchain, the importance of boosting wallet security every few months cannot be over-emphasized. Dedaub found that the private keys to the multisig address were compromised.
In addition to that, PolyNetwork took seven hours to halt the smart contracts. This is a long time in blockchain, considering the massive damage hackers can do in only a few minutes.
PolyNetwork hack affected 50+ assets on 10 blockchains
Despite executing a hack that affected over 50 assets in 10 different blockchains, Dedaub maintains the hack wasn’t complex. The hacker used the compromised private keys to sign confirmations that they owned the protocol’s BNB. Out of the ten blockchains affected, Metis, BSC, Heco, and Ethereum suffered the most harm.
The attacker went ahead to mint assets on different blockchains and sold them. However, the attacker could not cash out all the stolen assets due to no liquidity for some assets on specific blockchains.
PolyNetwork cross-chain managers were signed
As Dedaub continues to dig further into the execution of this hack, it believes the private keys were not stolen, implying the hack may have been an inside job. Dedaub arrived at this conclusion due to the lack of a logical bug in the exploitation.
Examining the PolyNetwork Merkle tree, Dedaub found the entire header; consequently, the state root was signed. Furthermore, the code was correctly invoked by 3 of the designated private key keepers.
A few hours before the Dedaub post-mortem came out with a contradicting conclusion, Arhat, founder of 3z3 Labs, posted his analysis of the PolyNetwork hack. From his assessment, the hack happened because of a smart contract vulnerability.
As more investigation into the event happens, more light may be shed on how this hack took place and the extent of its damage.
