On August 10, the cross-chain platform Poly Network suffered an attack, which resulted in crypto assets worth over 600 million stolen from multiple blockchains.
“Cross-Chain Hacking is hot”
The largest blockchains that were targeted were Ethereum, Binance Smart Chain, and USDC on Polygon. The attacker managed to steal 273 million, 253 million, and 85 million USD respectively from these chains.
Using Ethereum transactions for messaging, the anonymous hacker is conducing an AMA, in which he explains the reasons for the attack. He states that cross-chain hacking is “hot”:
The Poly Network is [a] decent system. It’s one of the most challenging attacks that a hacker can enjoy. And I had to be quick to beat any insiders or hackers.
White Hat Hacker promises to return (most) of the Money
In his AMA, the hacker also stated that he does not have any ill intentions. He expressed that he only exploited Poly’s smart contracts and took the money to keep the money safe from others who might know about the bug:
When spotting the bug, I had a mixed feeling. Ask yourself what to do had you facing so much fortune. Asking the project team politely so that they can fix it? Anyone could be the traitor given one billion. I can trust nobody! The only solution I can come up with is saving it in a trusted account.
The hacker expressed that he is not interested in money and promised to return all of the stolen crypto assetes. According to blockchain analytics firm Elliptic, the hacker has already returned a sum of 258 million USD and is currently in negotiations with Poly to return the rest.
It was only a matter of time until such white hat hackers would emerge in blockchain networks. While DeFi and Smart Contracts made it comparably easy to steal millions of dollars, laundering the money so that you can spend it is a completely different task. On top of that, you know that you are a wanted man the moment you transfer the money to your wallet, only to end up with an unfathomable sum of money that you can’t use.
Returning the money and maybe keeping a small percentage for yourself seems like far more reasonable decision. Blockchain projects should consider to condone or even promote this type of honest behavior by letting hackers get away with a small fraction of the stolen money. This both gives hackers a strong incentive to return the money and it helps projects learn about their most crucial security flaws.