A hacker exploited a vulnerability in the bridge protocol, creating BUSD, BNB, and SHIB cryptoassets on different blockchains. Specifically, hackers generated 24 billion BUSD and BNB on Metis and 999 trillion SHIB on Heco. The Poly Network team later clarified that the exploit affected 57 crypto-assets across 10 blockchains, including Ethereum, BNB Chain, Polygon, Avalanche, Heco and Metis. The hacker’s estimated profits from the hack range from $400,000 to $4 million.<br
On Sunday, July 2, the platform suspended service to users. Poly Network executives said they sought help from centralized exchanges and law enforcement. The platform’s specialists recommended cryptocurrency holders to withdraw liquidity and unlock LP tokens supplied by users.
Project security analyst DeFi, who uses the Twitter alias 0xArhat, wrote that the exploit stemmed from a smart contract vulnerability. This allowed the hacker to create a malicious parameter with a fake validator signature and block header. The smart contract accepted this parameter and the hacker was able to bypass the verification process, then began issuing tokens from the Poly Network ether pool and sending them to his address in the Metis, BNB Chain and Polygon blockchains.
This procedure was repeated many times, which allowed the accumulation of a large amount of crypto-assets. According to the analyst, at one point the hacker had accumulated about $42 billion worth of crypto assets in his wallet, but the attacker was only able to sell some of them, due to limited market demand.
This is not the first time Poly Network has faced a major attack. In August 2021, the platform lost about $611 million. However, in the same month, the hacker recovered all the stolen crypto-assets. After that hack, Poly Network launched a vulnerability detection program with the Immunefi platform.<br