The lessons to be learnt from the attack on Poly Network
A decentralised financial network that said hackers had absconded with cryptocurrency worth $610m has reported that almost all of it has now been returned.
On August 10, Poly Network said that the crypto had been taken from it. It wrote a letter on Twitter, asking whoever was responsible to contact them "to work out a solution". Late on August 11, the alleged hacker posted messages pledging to return funds. This was followed by Poly Network saying that $260m of the $610m had been returned.
The company, which is a blockchain platform, has revealed that $33m in stablecoin tether is currently outstanding as it has been frozen by the company managing it. Poly Network is currently in talks to unfreeze these remaining funds.
The hacker(/s) reportedly claimed to be “ethical” hackers who had spotted an unspecified bug, wished to “expose the vulnerability” before others could exploit it and had always planned to return the funds.
Vulnerabilities
The hacker claimed that the theft was carried out to highlight vulnerabilities in Poly Network software. Poly Network had said that whoever carried out the attack had exploited a weakness in its system.
The attack has harmed the credibility of decentralised finance (DeFi) - which has been a rapidly-expanding part of the cryptocurrency market – and has emphasised the limited protection for consumers and investors.
Poly Network is a decentralised financial platform, which means that it has developed a computer protocol for users to move tokens tied to one blockchain to a different network. Supporters of such systems see them as a way of allowing the direct trading of digital assets without the need for intermediaries who charge fees.
But the hackers exploited a weakness in its system between contract calls - where a user requests a specific function from a smart contract that, unlike a transaction, doesn't publish anything on the blockchain - in order to access ledgers, transfer money and then send it to various other cryptocurrency addresses.
Recently, we have been seeing a huge increase in crypto currency hacks and frauds. In these cases, those carrying out the attacks are taking advantage of vulnerabilities in the platforms that deal with crypto. Once the crypto assets are stolen, they are diverted away to other wallets. This makes it difficult to identify both the funds and those who carried out the attacks.
DeFi has become a key target for attacks. The total value of DeFi-related hacks has tripled since last year. From January to July this year, DeFi-related fraud accounted for 54% of all crypto fraud, compared with just 3% for all of 2020.
Prevention
Attacks like this can only be prevented through increased oversight by financial regulators, such as the Financial Conduct Authority, which can protect investors from such activity. There also needs to be better communication from crypto exchanges, who should also be taking more action to block transfers and blacklist the affected tokens. In our experience, the exchanges can be obstructive, although they do now seem to be learning and improving their responses to such activity.
If the police could devote more time and resources to investigating crypto crimes it would prevent the situation where only those who can bring costly civil litigation have any hope of regaining what they have lost. It would probably also be a much quicker way of holding to account those who are to blame.
But, arguably most crucially, the exchanges have to learn from the vulnerabilities that have been exploited in order to remove those weaknesses and reduce the possibility of future attacks.
