Poly Network Hack ClarificationPoly Network Hack Clarification
📕
WHO DID THE HACK TARGET?WHO DID THE HACK TARGET?
This is a big question to ask. I've seen a couple of comments like "Not your keys, not your Crypto" and likening it to BitConnect or Mt. Gox. It's similar but with a big caveat, these types of attacks
don't typically target users crypto in their wallet. Custodial exchange and centralized lending will
often target users crypto just sitting in a spot wallet.
When you supply liquidity to a protocol on DeFi
it is not your crypto. You're keys should still be
able to authorize the withdrawal of that crypto or your wallet will have a receipt of supplying like cETH or LP tokens. You are
still ultimately the custodian of your own crypto in DeFi
If you've been interacting with DeFi protocols, it is highly unlikely you will wake up to a drained Metamask after one of these hacks. You are
too small of a fish for those types of attacks to target. You are more likely to have to fall for a
phishing scam if that is the case.
Typically hacks like this target liquidity pools.
Liquidity pools often have immense value in them. You may lose crypto you have deposited in a hacked pool or farm, but often times protocols come up with solutions to reimburse any lost crypto like PancakeBunny earlier this year that
suffered a flash loan attack.
Poly Network holds large liquidity pools to facilitate cross chain transfers. Holding a lot of exit liquidity on each chain. The money that was hacked from this event is likely to have been
stolen from those who have large amounts of liquidity staked. This is not likely to be you farming CAKE on PCS!
Cross Chain protocols are incredibly
hard to code, and they should be treated with caution when
supplying liquidity to them.
📗 HOW DID THE ATTACK TAKE PLACE?
HOW DID THE ATTACK TAKE PLACE?I want to keep this part simple for those not technically minded but there are currently two working theories as to how the hack took place. They both involve the
private keys for the ownership of the liquidity pools.
🔑
Theory 1: Leaked KeyTheory 1: Leaked Key
Poly Network has a big security problem from the outset. They had a
single sig key to the pools which means that only
one signer would need to authorise any changes to the liquidity pool,
including withdrawal of funds. This is like leaving a vault of gold with only one key. If you wanted to access this, there wouldn't be any other parties involved.
Current theories suggest that this key was
leaked or hacked via another method off-chain. This is the story from early official post mortem from Poly Network
EDIT: This theory has been
disproved by Poly Network, but I wrote it so I thought I'd leave it here as an example of an early working theory
🖋 Theory 2: Hacked Contracts
Theory 2: Hacked ContractsThere are two important contracts.
A "manager" contract and a "data" contract. The data contract specifies the address which can submit transactions which can withdraw funds from the pool. If someone was to
replace this address in the contract to theirs, they could withdraw as much from the pools as possible.
In solidity there is a concept called ownership. A smart contract can set certain functions to only execute
if the owner executed them. Typically, when constructed the
owner is the wallet who deployed the contract, which is typically the developer. However, in this case the
owner of the "Data" contract was the "Manager" contract.
So now, if you were to call a function which could
replace the address in the data contract with theirs from the manager, it would be allowed.
But here's another flaw in the design of Poly Network. The "manager" contract
exists to run transactions on different chains. It has a function called verifyHeaderAndExecuteTx which verifies that a transaction exists on one chain, and if it does, runs it on another. This is
needed for cross chain interoperability.
But wait... we've now got a way to run arbitrary functions from the "manager".
If the attacker devises a specific input they can now freely set the most important address, the one which says
who can withdraw from the pools, to theirs.
Confirmed by Poly Network