Poly Network was hacked, becoming the most serious security incident in the history of the DeFi industry

Author: Gu Yu

Tonight, the cross-chain interoperability protocol Poly Network was simultaneously attacked by hackers on smart contracts deployed on Ethereum, BSC, and Polygon, resulting in the transfer of assets worth over $590 million, including USDC and ETH, marking the most severe security incident in the history of the DeFi industry.
The attack first occurred at 17:55 tonight, with hackers transferring 96.38 million USDC, 1,032 WBTC, and other assets from the Poly Network smart contract on Ethereum, totaling over $260 million; starting at 18:04, hackers transferred 85.08 million USDC from the project's smart contract on Polygon; and starting at 18:08, hackers transferred 87.6 million USDC, 26,629 ETH, and other assets from the project's smart contract on BSC, totaling over $250 million.
On-chain records show that the source of the attackers' funds was traced to an address marked as HOO exchange, which also provides a possible lead for identifying the attackers.
According to SlowMist Security, they have linked and discovered the attackers' email, IP, and device fingerprints through on-chain and off-chain tracking, and are currently tracing possible identity clues related to the Poly Network attackers. With the technical support of Hoo and several exchanges, the SlowMist security team found that the initial source of the hackers' funds was Monero (XMR), which was then exchanged for BNB/ETH/MATIC and withdrawn to three addresses, shortly before launching attacks on three chains.
Initially, this incident was thought to be an attack on O3swap, as many users in the project's Telegram group reported that the cross-chain transfer function could not be completed smoothly, and there were multiple O3 token transactions from the stolen addresses, causing O3's price to drop by 30% at one point.
However, subsequent information released by the two projects on Twitter indicated that the attacked project was actually Poly Network, and the cross-chain transfer function of O3swap was developed based on the Poly Network cross-chain protocol, thus affecting the cross-chain functionality and assets. It is reported that both Poly Network and O3swap have not fully open-sourced their projects to date.
Poly Network is a heterogeneous cross-chain protocol jointly launched by Ontology, Neo, and Switcheo, with its mainnet launched in August 2020. It supports interoperability among 10 heterogeneous blockchains, including Bitcoin, Ethereum, Neo, Ontology, Heco, BSC, and OKExChain, with over 130,000 addresses using this cross-chain service.
Among them, users from the two major public chains, Neo and Ontology, are the main user group of Poly Network. If users attempt to participate in DeFi mining activities on these two public chains, they need to transfer assets across chains through Poly Network.
Currently, Poly Network has officially called on cryptocurrency companies such as Binance, Huobi, Bitpay, and Tether to blacklist or freeze the hackers' addresses, with Tether CTO Paolo stating that they have frozen $33 million worth of USDT involved in the Poly Network theft case, and Zhao Changpeng also expressed on Twitter that he would provide assistance.
However, according to data from Etherscan and Bscscan, the hackers have successfully transferred over 96 million USDC to the Curve stablecoin pool, but subsequently converted it all to DAI, while transferring nearly $120 million worth of BUSD and USDC on BSC to Ellipsis Finance. No further actions have been reported regarding other assets transferred by the hackers.
Previously, several cross-chain asset projects, including Chainswap, Anyswap, Thorchain, and Never Network, have also been attacked by hackers.