Hackers committed the biggest cryptocurrency heist on Tuesday, stealing more than $600 million in digital coins from the token-swapping platform Poly Network, only to return almost all of their assets less than 48 hours later, the company said.
Poly Network is a decentralized finance (DeFi) platform that conducts peer-to-peer transactions that allow users to transfer or exchange tokens across different blockchains.
Poly Network was founded by Chinese businessman Da Hongfei, who is currently head of blockchain platform Neo. It was launched in August 2020 as a collaboration between Neo, crypto-trading platform Switcheo and blockchain company Ontology.
One of the smart contracts that Poly Network uses to exchange tokens between blockchains has large amounts of liquidity to enable users to effectively exchange tokens, as crypto-messaging company CipherTrace puts it.
Poly Network said in a Tweet on Tuesday that a preliminary investigation found that the hackers exploited a security flaw in the smart contract.
After analyzing the transactions by Kelvin Fichter, an Ethereum programmer, the hackers were able to override the contract instructions for each of the three blockchains and redirect the money to three wallet addresses, digital locations for tokens. These were later tracked and published by Poly Network.
The hackers stole money in more than 12 different cryptocurrencies, including ether and a type of bitcoin.
A person claiming responsibility for the hack said they had detected a “bug,” without elaborating, and that they wanted to “expose the vulnerability” before others could exploit it.
Coindesk reported on Tuesday that the attackers first tried to transfer some assets from one of the three wallets to the liquidity pool Curve. fi, but this was rejected. About $100 million was transferred from another wallet and deposited into the liquidity pool of Ellipsis Finance.
On Wednesday, however, the attackers began transferring assets back to Poly Network in a wallet controlled by both parties, and by Thursday afternoon the attackers had returned almost all the assets, with only $33 million frozen from the Tether cryptocurrency platform.
It has not yet been possible to determine who or which group is responsible for the attack.
For more information, read the original story by Reuters.