 | This article may be too technical for most readers to understand.(June 2022) |
The Poly Network exploit was an attack conducted by anonymous hackers on August 10, 2021. The attack transferred over $610 million in digital cryptocurrency to the hackers. All assets were returned to Poly Network over the following 15 days. It was one of the largest security incidents in DeFi's history in terms of mark-to-market value.
Poly Network is an interoperability protocol that lets users trade one cryptocurrency for another, such as trading Bitcoin for Ethereum. [1] Before the attack, Poly Network had transferred $10 billion in digital assets between blockchains, with total value of nearly $1 billion.
The hackers transferred approximately $610 million of the most valuable digital assets to three addresses they controlled on Ethereum, Binance Smart Chain and Polygon. [2] [3]
After the attack, the Poly team asked exchanges and miners to be aware of the flow of stolen tokens and called for the hacker's transactions to be stopped, Tether froze $33 million worth of USDT. In an open letter on Twitter, the Poly team wanted to establish communication with the hackers and urge them to return the stolen tokens. [ citation needed ]
The hackers announced on August 11, 2021 that they had been planning to return the tokens. They claimed that the purpose of the theft was to reveal vulnerabilities and secure Poly Network. They posted a Q&A to communicate with the public by embedding messages in transactions with their addresses. [4]
The hackers required multi-signature addresses for transfer. Poly Network generated a collection address and started to recover the assets that were returned first on August 11. On August 13, the hackers returned assets worth $340 million and transferred the bulk of the rest to a multi-signature address jointly controlled by them and Poly Network. [5] [6]
After receiving tokens, Poly Network started to address the hackers as "Mr. White Hat" and offered to reward them with a $500,000 bug bounty and the position of "chief security advisor" of Poly Network, as a strategy to ensure safe return of the rest of the affected assets. [7]
The last of the hacked money was returned to Poly Network on August 25. [8]
Poly Network's decision to refer to the hackers as "white hats" angered some in the security world who worried that it might set a precedent for criminal hackers to whitewash their actions. White hat hacker Katie Paxton-Fear said that "labelling this hack as a white hat is really disappointing". [9] Charlie Steele, former Department of Justice and FBI official, thought "Private companies have no authority to promise immunity from criminal prosecution," and "in this event where a hacker stole the $600m 'for fun' and then returned most of it, all while remaining anonymous, is not likely to lessen regulators' concerns about the variety of risks posed by cryptocurrencies." [9]
Poly Network launched the global bug bounty program on Immunefi. The program aims to encourage more security agencies and white hat organizations to participate in the audit of Poly Network's core functions, especially to address potential security risks. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System — the rewards range up to $100,000 for critical vulnerabilities. [10]
Virgil Griffith, is an American programmer. He worked extensively on the Ethereum cryptocurrency platform, designed the Tor2web proxy along with Aaron Swartz, and created the Wikipedia indexing tool WikiScanner. He has published papers on artificial life and integrated information theory. Griffith was arrested in 2019 and in 2021 pleaded guilty to conspiring to violate U.S. laws relating to money laundering using cryptocurrency and sanctions related to North Korea. On April 12, 2022, Griffith was sentenced to 63 months imprisonment for assisting North Korea with evading sanctions and is currently in a federal low-security prison in Pennsylvania.
A cryptocurrency, crypto-currency, or crypto is a digital currency designed to work as a medium of exchange through a computer network that is not reliant on any central authority, such as a government or bank, to uphold or maintain it.
Ethereum is a decentralized blockchain with smart contract functionality. Ether is the native cryptocurrency of the platform. Among cryptocurrencies, ether is second only to bitcoin in market capitalization. It is open-source software.
A decentralized autonomous organization (DAO), sometimes called a decentralized autonomous corporation (DAC), is an organization managed in whole or in part by decentralized computer program, with voting and finances handled through a blockchain. In general terms, DAOs are member-owned communities without centralized leadership. The precise legal status of this type of business organization is unclear.
Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.
The DAO was a digital decentralized autonomous organization and a form of investor-directed venture capital fund. After launching in April 2016 via a token sale, it became one of the largest crowdfunding campaigns in history, but it ceased activity after much of its funds were taken in a hack in June 2016.
Bitfinex is a cryptocurrency exchange owned and operated by iFinex Inc, and is registered in the British Virgin Islands. Bitfinex was founded in 2012. It was originally a peer-to-peer Bitcoin exchange, and later added support for other cryptocurrencies.
Ethereum Classic is a blockchain-based distributed computing platform that offers smart contract (scripting) functionality. It is open source and supports a modified version of Nakamoto consensus via transaction-based state transitions executed on a public Ethereum Virtual Machine (EVM).
A cryptocurrency wallet is a device, physical medium, program or an online service which stores the public and/or private keys for cryptocurrency transactions. In addition to this basic function of storing the keys, a cryptocurrency wallet more often offers the functionality of encrypting and/or signing information. Signing can for example result in executing a smart contract, a cryptocurrency transaction, identification, or legally signing a 'document'.
Cryptocurrency and crime describe notable examples of cybercrime related to theft of cryptocurrencies and some methods or security vulnerabilities commonly exploited. Cryptojacking is a form of cybercrime specific to cryptocurrencies that have been used on websites to hijack a victim's resources and use them for hashing and mining cryptocurrency.
Bithumb is a South Korean cryptocurrency exchange. Founded in 2014, Bithumb Korea has 8 million registered users, 1 million mobile app users, and a current cumulative transaction volume has exceeded USD $1 trillion.
TRON is a decentralized, blockchain-based operating system with smart contract functionality, proof-of-stake principles as its consensus algorithm and a cryptocurrency native to the system, known as Tronix (TRX). It was established in March 2014 by Justin Sun and since 2017 has been overseen and supervised by the TRON Foundation, a non-profit organization in Singapore, established in the same year. It is open-source software.
Decentralized finance offers financial instruments without relying on intermediaries such as brokerages, exchanges, or banks by using smart contracts on a blockchain, mainly Ethereum. DeFi platforms allow people to lend or borrow funds from others, speculate on price movements on assets using derivatives, trade cryptocurrencies, insure against risks, and earn interest in savings-like accounts. DeFi uses a layered architecture and highly composable building blocks. Some applications promote high-interest rates but are subject to high risk. Coding errors and hacks have been common in DeFi.
Dai is a stablecoin token on the Ethereum blockchain whose value is kept as close to one United States dollar as possible by decentralized parties incentivized by smart contracts to perform actions that affect the token's supply and therefore its price. Dai is maintained and regulated by MakerDAO, a decentralized autonomous organization composed of the owners of its governance token, MKR, who may propose and vote on changes to certain parameters in its smart contracts.
SafeMoon LLC was a cryptocurrency and blockchain company created in March 2021. The company created the SafeMoon token (SFM) which traded on the BNB Chain blockchain. The token charged a 10% fee on transactions, with 5% redistributed to token holders and 5% directed to wallets in a different currency, Binance Coin (BNB), controlled by the coin's authors. The token reached its all time high market cap in April 2021 of $17b. As of December 2022, it had dropped 98.7% in value to $223m.
Axie Infinity is a blockchain game developed by Vietnamese studio Sky Mavis, known for its in-game economy which uses Ethereum-based cryptocurrencies.
Solana is a blockchain platform which uses a proof-of-stake mechanism to provide smart contract functionality. Its native cryptocurrency is SOL.
The Bitfinex cryptocurrency exchange was hacked in August 2016. 119,756 bitcoin, worth about US$72 million at the time, was stolen.
Tornado Cash is an open source, non-custodial, fully decentralized cryptocurrency tumbler that runs on Ethereum Virtual Machine-compatible networks. It offers a service that mixes potentially identifiable or "tainted" cryptocurrency funds with others, so as to obscure the trail back to the fund's original source. This is a privacy tool used in EVM networks where all transactions are public by default.