Letter #33: PolyNetwork and the Biggest Hack in DeFi History


Dear readers,

Various areas of cryptocurrency and blockchain have exploded in popularity over the past several years, and Decentralized Finance (DeFi) has certainly seen its fair share of that growth: the total amount of money sitting in DeFi applications has ballooned from less than $1 billion U.S. dollars in May 2020 to around $80 billion as of this writing.

DeFi’s popularity has grown for a variety of reasons that we’ll discuss below. But as DeFi has grown, so have the risks associated with using it. Whether from flaws in the protocols’ software or exit scams perpetrated by the entities to which we entrust our crypto, losses have mounted for users across the DeFi landscape.

Perhaps the most common risk to DeFi protocols and their users is that of external hacks. CipherTrace, a leading blockchain analytics company, estimates that over $350 million USD worth of crypto assets were stolen from DeFi during just the first seven months of 2021. That number was quickly dwarfed earlier this week by a single hack perpetrated against an up and coming protocol in the space: PolyNetwork.

Article continues below 👇🏻👇🏻

😱Can’t Get Enough Crypto In Your Life?😱

Consider joining my:

📸 Instagram. Where I share crypto bytes of knowledge about more topics than we can cover in a twice-weekly newsletter.

🐥Twitter. Where I share live news and thoughts concerning the goings on of the crypto-verse.

Back to the article 👇🏻👇🏻

Decentralized Finance vs. Traditional Finance

Before discussing the PolyNetwork hack in detail, it may be helpful to get a sense of what Decentralized Finance offers and how it differentiates itself from traditional finance and the centralized companies with which we’ve become familiar over the decades:

Traditional Finance (TradFi)

There are a host of different financial offerings that we take advantage of on a daily basis and, up until the last decade or so, none of them took place over a blockchain. Banking, investing, insurance, and more were usually the realm of financial titans like JP Morgan Chase, UnitedHealth Group, and Charles Schwab. These companies require their customers to hand over mountains of their personal information and control of their financial assets before they can even access the platforms. And once those customers begin using those platforms, the companies have complete control over the customers’ experience and extract massive fees for the services they provide.

Decentralized Finance (DeFi)

DeFi offers users a better way to manage their financial lives. For one, DeFi is open to anyone irrespective of who they are or what their motivations may be. Many DeFi protocols don’t actually require anything other than a cryptocurrency wallet in order to join and use their services. So DeFi offers the best chance at reaching the billions of individuals worldwide who remain unbanked. It gives them the opportunity to take control of their financial lives without having to entrust their finances to a centralized corporation or government.

DeFi also commonly offers users the ability to access protocols in a non-custodial fashion, meaning that users sometimes aren’t required to entrust their assets to DeFi in order to use it. Now, that isn’t always the case, and it certainly isn’t applicable to PolyNetwork. But wherever DeFi enables non-custodial usage, user funds are typically much safer from loss through hacks, scams, or code deficiencies. After all, a thief will likely be much less motivated to attack ten thousand separate wallets that each contain a few hundred USD worth of crypto than a single wallet holding $50 million.

Another important benefit of DeFi is that it enables financial transactions to take place much more efficiently and cheaply than legacy financial systems. Overdraft fees, ATM fees, and the like are a relic of the past and don’t apply to DeFi applications (dApps). At most you’re likely to pay network fees to move your crypto assets into and out of a dApp and maybe a conversion fee if you exchange one type of asset for another.

PolyNetwork: Building the Next Generation Internet

The PolyNetwork protocol was created in late summer of 2020 in response to the growing issue of blockchain segregation. The development team behind the project felt impressed to address the interoperability of blockchains so that information and digital assets could more easily flow from network to network, even between blockchains as different from one another as Bitcoin, Ethereum, and the Binance Smart Chain. In a sense, they believe that the value and useability of all blockchains can be improved by removing the barriers between them.

PolyNetwork has grown rather rapidly in the year since its launch and was home to around one billion U.S. dollars worth of cryptocurrency. However, the protocol’s assets under management (AUM) was more than cut in half the morning of August 10th when a hacker or group of hackers stole more than $600 million USD of cryptocurrency in a single attack:

SlowMist, an organization focused on blockchain security, indicated that the hack likely occurred due to a vulnerability in the smart contract used by PolyNetwork for cross-chain asset transfers. Essentially, the hackers were able to substitute their own cryptocurrency wallet address for the wallet address normally used by the smart contract. The hacker replicated the attack across the blockchains for Polygon, Ethereum, and the Binance Smart Chain to steal Ether, Binance Coin, USD Coin, Shiba Inu, Uniswap, and several other cryptocurrencies. All in all, tens of thousands of PolyNetwork users were directly impacted by the loss of funds from the protocol.

Article continues below 👇🏻👇🏻

Like what you see so far, but not a subscriber yet?

Consider subscribing for:

📧Two weekly emails on the topics of cryptocurrency and blockchain

💬Full access to community comments

🗞Unlimited access to newsletter archives

Back to the article 👇🏻👇🏻

DeFi-ing the Trend: A Happy Ending for PolyNetwork?

Hacks in any industry typically do not have happy endings and it is rather uncommon for stolen funds to be recovered. DeFi and cryptocurrency are no different and stolen funds commonly disappear into the ether (often quite literally since many of the largest DeFi protocols run on top of the Ethereum blockchain).

Blockchain does however incorporate a rather difficult hurdle for hackers to overcome, and that is the fact that blockchain transactions are public and immutable. It is easy for even the most inexperienced crypto participant to use a blockchain explorer to follow transactions, good or bad, from address to address. As a result, it’s common for crypto hackers to have trouble laundering stolen funds and they often remain unmoved and inaccessible within the hackers’ wallets indefinitely.

Such seems to have been the case for the PolyNetwork hackers. The addresses they used to collect their ill-gotten gains were quickly identified and the development team behind the protocol reached out to large entities like Tether and Binance to request their assistance flagging and blocking the stolen funds. On top of that, SlowMist indicated that their security team had identified the hackers’ email, IP address, and other identifiers that, if correct, would allow authorities to rather easily locate and apprehend the hackers.

These developments seem to have impacted the hackers’ desire to keep the stolen funds, as they began returning the funds to the PolyNetwork protocol within about a day of the hack:

In follow-up communications after the attack, the hackers indicated that they always intended to return the funds and that they were only attempting to bring attention to a flaw in the protocol’s smart contracts before a bad actor actually stole the funds. Whether or not that is true remains to be seen, but in all honesty the hackers would certainly stand to benefit from people assuming that they were white hats trying to bolster DeFi security rather than crypto thieves out for their own gain.

Want to share your thoughts with the community?

Leave a comment

Wish you could share this Letter with all your friends? Now you can 👇🏻👇🏻


Disclaimer: I personally use the following companies’ services. I may receive some compensation if you sign up using the links below and that compensation helps support me in my efforts to educate people about cryptocurrency and blockchain:

  • BlockFi provides cryptocurrency exchange and custody services, interest-bearing cryptocurrency accounts, and more! Open a new account and earn $10 in free Bitcoin when you deposit your first $100 on BlockFi.

  • Coinbase provides cryptocurrency exchange and custody services, cryptocurrency staking on several blockchains, and more! Open a new account and earn $10 in free Bitcoin when you buy or sell your first $100 on Coinbase.

  • Nexo provides interest-bearing cryptocurrency accounts, crypto-collateralized loans, and more! Open a new account and earn $10 in free Bitcoin when you deposit your first $100 on Nexo.

  • Publish0x allows you to earn crypto for reading crypto news and interacting with crypto bloggers, 100% free of charge.