The recent Poly Network hack is a cogent reminder that there is still much work to be done in the Decentralized Finance (DeFi) industry. Hacking is as old as the internet itself (and maybe even older than that) and is set to become an increasing feature as the Web continues to evolve and move towards a new paradigm. What are the implications of this? And what can be done to safeguard against such attacks?
The Origins of Cyber Subterfuge
The media tends to color hackers as faceless types sporting dark gray hoodies who careen through reams and reams of green ones and zeroes at breakneck speeds. Now that’s fun and all, but what you might consider the first hackers actually came into being in the 1960s at MIT, or at least a 2002 Help Net Security article by Spyd3r (a delightfully 2002 moniker) alleges. Make no mistake: the very first hackers were brilliant people who sat for hours practicing coding in FORTRAN and several other older languages. Back in the 60s, nobody really paid any mind to hackers, and most people didn’t even know what a hacker was. A little while later, ARPANET was developed by the Department of Defense in order to link government offices. Over time, ARPANET evolved into the internet that we know and love today.
Without the government, there would be no internet. Now that’s a trip!
Later in the 1980s, the term ‘Cyberspace’ was coined from a 1984 novel called Neuromancer by William Gibson. Hackers were still largely unknown to the public at this time, but infamous groups like the US-based Legion of Doom and German Chaos Computer Club came into existence and are still regarded as two of the most well-known and respected hacker groups to this very day. The 90s saw hacking evolve and rise to prominence. Hackers engaged in practices like ‘cracking’ software, ‘phreaking’ (exploiting phone systems) and of course, ‘social engineering’ (exploiting human beings and communities).
As computing power and technology has developed over time, hacking has become evermore complex and difficult to prevent. In a recent Gulf Business article by Gaurav Mohan, he makes it clear that the cost of cybercrime is on the rise and that businesses need to invest in cybersecurity. And let’s be honest: the last thing anyone wants is to suffer the effects of a ransomware attack and have all of their data and personal information compromised. As it just so happens, crypto and DeFi platforms will need to make doubly sure that their offerings are ironclad and resistant to attacks. This is no small task though, and you can bet that DeFi protocols will need to focus sharply on security and data integrity if they want to guard against any possible attacks.
Nothing is Sacred
OK, maybe passphrases, mnemonics, and gains are sacred in crypto, I’m pretty sure of that. But as I’ve said before, the world of crypto is a lot like the Wild West. While there are numerous reputable projects with great teams and awesome tech, to assume that there aren’t any bugs in their systems would be short-sighted. I mean, we can all reasonably assume that our funds are safe and being taken care of, right? I’m sure in most cases users feel certain their cryptoassets are secure and easy to access. However, I don’t think anybody can guarantee beyond a shadow of a doubt that there is zero chance of something going wrong.
The thing is, stuff can go awry for a couple of different reasons, and sometimes it’s for reasons we didn’t even really give any thought or consideration to. In truth, there are those situations where people simply don’t know something was amiss until things actually go wrong. Sure, that’s totally understandable, but this is crypto. While we may like to kid around, it’s serious business and serious money. Before implementing anything for public consumption, it’s crucial that tests are performed and analyses carried out to safeguard against any unforeseen eventualities. And if you have any doubts that some vulnerabilities still exist, test, test, and test again…
Naturally tests have their limitations as well. Firstly, if they aren’t properly designed or don’t include all the relevant criteria, it’s possible to make some serious oversights. Sadly a lot of issues arise in the most obvious places, and even when teams are made aware of vulnerabilities, they are often slow to address them, or worse, totally apathetic. This is bad news because many DeFi platforms are more or less copy-pasted from existing ones that possess certain vulnerabilities. And as you can imagine, with only a few alterations and some cosmetic treatment separating platforms, these flaws get replicated over and over again, leaving millions or even billions of Dollars worth of tokens exposed to hackers and bad actors.
Take it Away, Then Give it All Back Again…
On Tuesday, August 10th, the biggest hack in DeFi history to-date went down. Poly Network , an interoperable cross-chain DeFi platform that allows peer-to-peer (P2P) exchanges to take place between different Blockchains, had over $610 million worth of tokens stolen from the Ethereum , Polygon (formerly Matic) and Binance Smart Chain platforms. According to reports from various sources, this enormous hack occurred via one of the smart contracts employed by Poly Network that serves to provide high levels of liquidity to streamline token swaps. This particular contract allegedly contained a hidden vulnerability that allowed the keeper address to be modified to one specified by the hacker(s).
As a direct result, all of the funds were subsequently diverted into three different wallets (one for each of the three Blockchains). Soon after the hack, Tether froze about $33 million in stolen USDT, preventing the hacker(s) from dumping a large number of his stolen tokens into Curve.fi, an online liquidity pool. After several attempts to process the transaction, an anonymous user provided a ‘tip-off’ to the hacker(s), informing them that they had been blacklisted by Tether. The hacker(s) were then able to transfer their funds without the USDT and paid the anonymous user, one ‘hanashiro.eth,’ about $42,000 in ETH for their trouble. Talk about a payday!
Introducing ‘Mr. White Hat’
Now believe it or not, pretty much all of the funds stolen from Poly Network have since been returned with the exception of the blacklisted Tether. Why is this, you ask? Apparently the thief is in fact a ‘white hat’ hacker, someone with morals and ethics who simply wanted to make the vulnerability public knowledge. And of course they always intended to return the funds…which is why they stole, uh, $610 million? Does that actually make any sense?
Oh, and if a Reuters article by Alun John and Tom Westbrook is correct, Poly Network attempted to pay ‘Mr. White Hat’ $500,000 as a ‘bug bounty’ for finding the vulnerability and safely returning the funds. And as if that isn’t enough, Poly Network hopes to continue working with Mr. White Hat to further develop the protocol. According to a more recent Coinfomania report by Obike Favour, the hacker(s) actually rejected the $500,000 bounty, stating that it should instead be put towards the technical community who have made significant contributions towards making Blockchains more secure. Despite this, Poly Network is still adamant on paying ‘Mr. White Hat’ the $500,000 to ‘continue his good work’ if you will and wishes to appoint him as their Chief Security Adviser. How serendipitous!
So was the hacker(s) really a ‘white hat’ all along? Maybe they just had a change of heart (AKA feared the Mafia breaking their legs)? Or is this some kind of elaborate PR stunt by Poly Network to get their name out there? I don’t know about you, but the timeline of this entire debacle has been surprizingly, shall we say, well-orchestrated? Maybe I’m wrong, but personally, something about this whole thing stinks. And I’m not the only one who feels this way…
Has ANYONE updated this article yet? It’s a confirmed inside job. Not even a DeFi hack.. goddamn guys update this please— Shadowy Super Coder (@scottwalker99) August 11, 2021
Most inside job ever.— kierandaniels.eth (@kieran_eth) August 15, 2021
Trust me, that’s just a small sample of Tweets and comments espousing the same sentiment. It doesn’t really matter whether the Poly Network hack was really an inside job or not. The point is that it exposes the very real problems that exist within the DeFi Industry in that many so-called ‘decentralized’ and ‘secure’ platforms are anything but. With these kinds of hijinks, it’s really no shock that regulators are seeking ways to bring DeFi platforms in-line and introduce some kind of standard to prevent these kinds of events from occurring. I really want to believe this wasn’t an inside job, but the cynic in me tells me otherwise.
Should I Be Afraid?
I don’t think so, but I do think anyone taking part in anything crypto-related, especially NFTs and DeFi, needs to make sure they are putting their money in the best protocols and projects available. How do you know what those are? Check out what the community says, look at the project’s history, see what their use case is and what they hope to achieve. If the platform sounds shady, it totally is, and if it sounds to good to be true…it probably is!
DeFi is not for everyone, and that’s OK. However, if you really are serious about yield farming and liquidity pools, remember that the chances for big gains are huge, but the possibility of some kind of issue occurring cannot be discounted. Yes, hacks are real and set to stay I fear, so be very careful about where you put your capital and question why you’re doing it. There’s more to life than money…just ask ‘Mr. White Hat’ and he’ll probably tell you the exact same thing.