Hey all!
I've seen some misinformation being spread about how the Poly Network hack worked and what it was actually targeting. I want to clear it up, because this is a big barrier to get people involved in the DeFi Space.
WHO DID THE HACK TARGET
This is a big question to ask. I've seen a couple of comments like "Not your keys, not your Crypto" and likening it to BitConnect or Mt. Gox. It's similar but with a big caveat, these types of attacks DON'T typically target users crypto in their wallet. Custodial exchange and Centralised Lending will often target users Crypto just chilling in a Spot Wallet.
When you supply liquidity to a protocol on DeFi, IT IS NOT YOUR CRYPTO. You're keys should still be able to authorise the withdrawal of that Crypto or your wallet will have a receipt of supplying like cETH or LP tokens. You are still ultimately the custodian of your own Crypto in DeFi
If you've been interacting with DeFi protocols, it is highly unlikely you will wake up to a drained Metamask after one of these hacks. You are too small of a fish for those types of attacks to target. You are more likely to have fallen for Phishing scams if that is the case.
Typically hacks like this target Liquidity Pools. Liquidity Pools often have immense values in them, now you may lose Crypto you have deposited in a hacked pool or farm but often times protocols come up with solutions to reimburse any lost crypto like PancakeBunny earlier this year that suffered a Flash Loan attack.
Poly Network holds large liquidity pools to facilitate cross chain transfers, holding a lot of exit liquidity on each chain. The money that was hacked from this event is likely to have been stolen from those who have large amounts of liquidity staked. This is not likely to be you farming CAKE on PCS!
Cross Chain protocols are incredibly hard to code, and they should be treated with caution when supplying liquidity to them.
HOW DID THE ATTACK TAKE PLACE?
I want to keep this part simple for those not technically minded but there are currently two working theories as to how the hack took place. They both involve the private keys for the ownership of the liquidity pools.
Theory 1: Leaked Key
Now, Poly Network has a big security problem from the outset. They had a single sig key to the pools which means that only one signer would need to authorise any changes to the liquidity pool, including withdrawal of funds. This is like leaving a vault of gold with only one key. If you wanted to access this, there wouldn't be any other parties involved and no oversight from someone who could say "Hey, what are you doing!".
Current theories suggest that this key was leaked or hacked via another method off-chain. This is the story from early official post mortem from Poly Network
EDIT: This theory has been disproved by Poly Network, but I wrote it so I thought I'd leave it here as an example of an early working theory. In addition, Poly Network could be shifting blame and lying.
Theory 2: Hacked Contracts
There are two important contracts. A "manager" contract and a "data" contract. The data contract specifies the address which can submit transactions which can withdraw funds from the pool. If someone was to replace this address in the contract to theirs, they could withdraw as much from the pools as possible.
In Solidity there is a concept called Ownership. A smart contract can set certain functions to only execute if the owner executed them. Typically when constructed the owner is the wallet who deployed the contract, which is typically the developer. However, in this case the Owner of the "Data" contract was the "Manager" contract.
So now, if you were to call a function which could replace the address in the data contract with theirs from the manager, it would be allowed.
But here's another flaw in the design of Poly Network. The "manager" contract exists to run transactions on different chains. It has a function called verifyHeaderAndExecuteTx which verifies that a transaction exists on one chain, and if it does, runs it on another. This is needed for cross chain interoperability.
But wait... we've now got a way to run arbitrary functions from the "manager". If the attacker devises a specific input they can now freely set the most important address, the one which says who can withdraw from the pools, to theirs.
This has been confirmed by Poly Network: https://polynetwork.medium.com/?p=e30cf27468f0
Closing Remarks
Please don't hesitate to ask any questions about the hack or areas you might not understand so I can clear them up. The technical stuff is very hard to explain in the least technical way possible!
[link] [comments]
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments