The DeFi platform Poly Network suspended its services over the weekend following a major hack that affected over 57 assets across several blockchain platforms on 10 blockchains, including Ethereum, Binance’s BNB Chain, Metis, Polygon and more.
“To minimize further risks, we have reached out to the majority of project teams and urged them to promptly withdraw liquidity from decentralized exchanges. We also strongly advise users who hold the affected assets to expedite the process of withdrawing liquidity and unlocking their LP tokens,” the team said in a tweet.
According to reports, attackers minted millions of tokens after exploiting a smart contract mechanism in the bridge tool of Poly Network. The vulnerability allowed the hacker to “craft a malicious parameter containing a fake validator signature and block header” and bypass the verification process. The attacker then issued tokens from Poly Network’s Ethereum pool to their address on other chains, such as Metis, BNB Chain, and Polygon.
It’s currently unclear how much funds have been stolen as different security experts provide different estimates.
For instance, blockchain security firm PeckShield estimates that $42 billion worth of cryptocurrency was minted while another security firm Dedaub said $34 billion was minted. Although the attacker managed to mint this amount, they weren’t able to withdraw it due to a lack of liquidity. It appears that the hacker was only able to convert and steal a fraction of digital coins.
This is not the first massive hack in Poly Network’s history. In August 2021, the platform suffered a similar incident, in which hackers used the protocol to steal over $600 million worth of digital assets. Poly Network urged the attackers to return the stolen funds and a day later the hacker returned cryptocurrency valued at $578.6 million of the initial $612 million stolen.
