Hackers pulled off the biggest ever cryptocurrency heist on Tuesday, stealing $613 million in digital coins from token-swapping platform Poly Network, only to return $260m worth of tokens less than 24 hours later, the company said.
A lesser-known name in the world of crypto, Poly Network is decentralised finance (DeFi) platform that facilitates peer-to-peer transactions with a focus on allowing users to transfer or swap tokens across different blockchains.
Poly Network operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tokens are swapped between the blockchains using a smart contract that contains instructions on when to release the assets to the counterparties.
One of the smart contracts that Poly Network uses to transfer tokens between blockchains maintains large amounts of liquidity to allow users to efficiently swap tokens, according to crypto intelligence firm CipherTrace.
Poly Network tweeted on Tuesday that a preliminary investigation found the hackers exploited a vulnerability in this smart contract.
According to an analysis of the transactions tweeted by Kelvin Fichter, an Ethereum programmer, the hackers appeared to override the contract instructions for each of the three blockchains and diverted the funds to three wallet addresses, digital locations for storing tokens. These were later traced and published by Poly Network.
The attackers stole funds in more than 12 different cryptocurrencies, including Ether and a type of Bitcoin, according to blockchain forensics company Chainalysis.
As of late Wednesday, the hackers had returned $260m of the assets, Poly Network said, but $353m was outstanding. It is unclear where the remaining assets have gone.
Coindesk reported that the hackers had tried to transfer assets including tether tokens from one of the three wallets into liquidity pool Curve.fi, but that transfer was rejected. About $100m has been moved out of another of the wallets and deposited into liquidity pool Ellipsis Finance, Coindesk also reported.
The hacker or hackers have not yet been identified.
Cryptocurrency security firm SlowMist said on its website that it has identified the attacker’s mailbox, internet protocol address, and device fingerprints, but the company has not yet named any individuals. SlowMist said the heist was “likely to be a long-planned, organised and prepared attack”.