‘Mr. White Hat’: Why the Poly Network Hack Taught DeFi an Expensive Lesson Moving Forward

Last week, a decentralized finance (DeFi) platform called Poly Network fell victim to the largest crypto heist to date, with hackers making off with more than $600 million worth of crypto. 

Ironically, the company was able to receive most of the stolen funds back from the hacker, after pleading with them to return the funds in exchange for a bounty. 

An individual claiming to be the hacker responded to Poly Network’s public message, saying that the purpose of the attack was “for fun.”

Launched in August 2020, Poly Network is a DeFi platform that connects different blockchains which allow users to transfer or swap tokens across different networks through facilitated peer-to-peer (P2P) transactions. For example, a user could come into Poly Network to transfer tokens such as Bitcoin from the Ethereum blockchain to the Binance Smart Chain. 

For those new to the world of decentralized finance and digital assets, a “blockchain” is a digital ledger of transactions that’s maintained by a distributed network of computers, rather than a centralized authority which we have been accustomed to since the birth of the Internet. 

So, how did it happen? The hacker allegedly exploited a flaw in Poly Network’s digital contracts code to steal the funds, making off with more than $610 million worth of crypto in the attack. 

Currently, Poly Network operates on the Binance Smart Chain, Ethereum, and Polygon blockchains. By means of a smart contract, tokens are swapped between the blockchains because of the coded set of instructions on when to release the assets to the counterparties. 

Subjected to the attack, one of the platform’s smart contracts that is used to transfer tokens between blockchains maintains large amounts of liquidity to allow users to efficiently swap tokens. In a tweet, Poly Network believed that there was a vulnerability in that smart contract, which allowed for the hacker(s) to make off with the money. 

One Ethereum programmer believes that hackers overridden the contract instructions for each of the three blockchains and diverted the funds to three wallet addresses, or digital locations for storing these tokens. 

Most unusual was the hacker’s response, returning nearly half of the crypto the following day, according to Poly Network. But why?

In a White Hat World…

Believe it or not, not all hackers are inherently bad. In an age of reducing the spread of misinformation, it’s important to first characterize cyber attacks based on the motives behind them. In the world of cybersecurity, there are three types of hackers. 

Let’s explore each one, according to Norton Security:

Black Hatter

When we learn about cybersecurity incidents, we often hear about these attacks categorized as “black hat” attacks. 

The primary motivation of a black hatter is to exploit vulnerabilities for personal or financial gain. Often incidents of cyber espionage, protest, or the mere thrill of exposing a system come into play for black hat attacks. The end goal is to steal data as well as modifying and/or destroying it. 

There is no requisite experience level, but most who attempt are often pretty well-versed with hacking into computer networks and bypassing security protocols. 

Grey Hatter

Grey hat hackers demonstrate characteristics of both a black hatter and white hatter. Usually these types of hackers are not inherently malicious, but are just looking to get some type of compensation for their discoveries. 

The goal behind these attacks is not to exploit the found vulnerabilities, but to be rewarded for finding the issues, and to be compensated for fixing those issues. In the event the hacker is not paid for their “work,” they sometimes may post that newly found exploit online for the community to see. You can see the “grey line” here, all pun intended.

The reason this behavior is still considered to be illegal and subject to the Computer Fraud and Abuse Act (CFAA), a federal U.S. statute that governs unauthorized access to computers and networks, is because the attack is done without permission from the owner prior to attempting to attack the system. 

White Hatter

Like the angels they are, white hat hackers choose to hack “ethically.” Usually, these hackers are paid employees or contractors working for companies or governments who are attempting to find security holes.

The main difference between a white hat hacker and a black hat hacker is permission. Both use the same methods to hack, but one does so with permission from the owner of the system first, making the conduct legal. Ethical hacking also has online courses, training, conferences, and certifications, adding to its legitimacy. 

In this case, it’s hard not to argue that the hacker here would be characterized as either a “gray hatter” or “white hatter.” Poly Network referred to the hacker(s) as “Mr. White Hat,” who, in this case, seemed to act as an ethical hacker whose only concern is to expose vulnerabilities so they can be fixed later on. 

In his response, the person allegedly behind the attack gave his reason for returning the funds:

“That’s always the plan! I am not very interested in money! I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”

According to Tom Robinson, chief scientist at Elliptic, a blockchain analytics firm, that response was written by the hacker behind the attack, telling CNBC that their firm was able to trace those messages back to transactions sent from the hacker’s account. 

“Only the holder of the stolen assets could have sent them,” Robinson told CNBC. However, CNBC was unable to independently verify the authenticity of the message, as well as identify the hacker(s), despite SlowMist researchers stating they tracked down information on the attacker’s IP address and email address.

SlowMist is a cryptocurrency security firm, who last week posted to its website that it has in fact identified the attacker’s mailbox, IP address, and device fingerprints. As of the date of this article, the company has not yet named any individuals, but believed the attack to be a “…long-planned, organized and prepared attack.”

It isn’t very often that we have empathetic hackers who hack to “teach” a lesson, but what we have here is that rare instance where an individual or group of individuals wanted to show a valuable lesson to a company like Poly Network, that despite its claims of encryption and security for its ecosystem of investors, has security vulnerabilities that clearly put investors at risk. 

Bottom Line

While this may have been a rare instance, these types of attacks are necessary and instrumental to helping push DeFi into the next stages of mass adoption and trust. 

What Poly Network does next, however, will be interesting, whether it will make the decision to pursue the hacker and of course, levy any penalties against them. In my opinion, why not bring them on and have them better strengthen the ecosystem that is in play for investors and consumers across the world?

Andrew Rossow is a Legal Contributor at Lawrina. He is a practicing attorney, adjunct law professor, writer, and speaker on cybersecurity, digital monies, and privacy. Utilizing his millennial upbringing, Rossow provides a well-rounded perspective on legal and technology implications Bitcoin brings to the world of consumer finance. HIs work has been featured on Bloomberg News, Cheddar, CoinTelegraph, Law360, and numerous others. You can follow him on Twitter at @RossowEsq or visit his website AR Media Consulting.

We use Cookies to make Your experience on the Portal greater. To learn more about Cookies we use, please read Our Cookie Policy. Do you allow us to use Cookie?
Learn more Accept Cookies