Poly Network hacker reveals attack details: The attack was unexpected, returning the funds was originally my plan

John
2021-08-12 08:51:18
Collection
Believe it or not, I was also forced to participate in this game.

Chain Catcher reported that as of 8 AM on August 12, the Poly Network attacker has returned tokens worth over $342 million (including USDC, BUSD, SHIB, and FEI) through BSC, Ethereum, and Polygon.

In the early hours of August 12, the Poly Network hacker left a message via a transfer on the Ethereum network, answering some questions about the motives and reasons behind the attack in a Q&A format. He stated:

Q: Why be a hacker?

A: For fun :)

Q: Why choose Poly Network?

A: Cross-chain is very popular.

Q: Why transfer the tokens?

A: To ensure safety.

When I discovered this flaw, I had a complex feeling. I asked myself, what would you do if so much wealth was in front of you? Politely inform the project team so they can fix the vulnerability? But anyone could become a traitor, because this is a billion dollars! I can't trust anyone. I can't trust anyone! The only solution I could think of was to store the money in an account I trust while keeping my identity anonymous and safe. Now everyone smells a conspiracy in this. An insider? I'm not, but who knows? I have a responsibility to expose this vulnerability before any insiders hide and exploit it!"

Q: Why make it so complicated?

A: POLY Network is a nice system. This is one of the most challenging attacks a hacker can enjoy. I had to quickly beat any insiders or hackers; I took it as a rewarding challenge :)

Q: Did you expose your identity?

A: No, never. I understand that even if I don't do anything bad, there is a risk of exposing myself. So I used temporary emails, IPs, or so-called fingerprints, which are untraceable. I prefer to stay in the dark and save the world.

Q: What exactly happened in the attack 30 hours ago?

A: It's a long story.

Believe it or not, I was also forced to participate in this game.

Poly Network is a complex system, and I couldn't manage to set up a local testing environment. I failed to create a proof of concept (POC) from the start. However, just when I was about to give up, the opportunity came. After debugging all night, I created a SINGLE message for the ontology network.

I planned to launch a cool lightning attack to quickly take over the four networks supporting Poly: ETH, BSC, Polygon, and HECO. However, the HECO network malfunctioned! The behavior of the relayer was different from other relayers, and the administrator directly relayed my vulnerability attack, with the keys updated to some incorrect parameters. This ruined my plan.

I should have stopped the attack at that moment, but I decided to let the show go on! What if they secretly patched this vulnerability without any notice?

However, I didn't want to cause real panic in the crypto world. So I chose to ignore the junk coins on Poly, so people wouldn't have to worry about them going to zero. I took those important tokens (except SHIB) and didn't sell any tokens afterward.

Q: Then why sell/exchange those stablecoins?

A: The initial response from the POLY team made me very angry.

Before I could respond, they urged others to blame and hate me! I certainly knew there were fake DeFi tokens, but I didn't take it seriously because I had no plans for money laundering.

Meanwhile, depositing stablecoins elsewhere for investment could earn some interest to cover potential costs, giving me more time to negotiate with the Poly team.

Q: Why send a community member a tip of 13.37 ETH? (Note: A community member named "Hanashiro.eth" informed the hacker not to use USDT through a transaction message and received a reward of 13.37 ETH from an address linked to "PolyNetwork Exploiter.")

A: I felt the warmth of the Ethereum community.

I was busy investigating the HECO issue and debugging my script at the time. I thought it was a network problem, wondering why I couldn't deposit (I used a complex network proxy). So I shared my goodwill with that guy.

Q: Why ask about Tornado and DAO? (Note: Tornado is often used by hackers to mix coins and launder stolen assets)

A: Having witnessed so many hacks, I knew putting funds into Tornado was a wise but desperate decision. It went against my original intention. After seeing so many pleas, becoming a crowdsourced hacker was just a joke I made :)

Q: Why return the funds?

A: That has always been my plan! I'm not very interested in money! I know people suffer when attacked, but shouldn't they learn something from so many past hacks? I announced the decision to return the funds before midnight, so those who believe in me should go get some good rest ;)

Q: Why is the progress of returning funds a bit slow?

A: I do need time to communicate with the POLY team. Sorry, this is the only way I know to maintain my dignity while hiding my identity. I need to take a break.

Q: What do you think of the Poly team?

A: I have started brief conversations with them, and the content logs are on Ethereum. I may or may not release this content. Their suffering is temporary, but it must be unforgettable.

I want to provide them with tips on how to secure their network so that they can qualify to manage a project worth a billion dollars in the future. Poly Network is a well-designed system that will handle more assets. They have many new fans on Twitter, right?

ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
ChainCatcher Building the Web3 world with innovators