Poly Network, a cross-chain bridging protocol notorious for suffering the second-largest DeFi exploit on record, was hacked again on Sunday.
A hacker identified a flaw in Poly Network’s contract allowing them to issue a seemingly unlimited number of tokens into existence, including 10M BUSD and nearly 10M BNB tokens on Metis, almost 100T SHIB on Heco, and various tokens on Polygon, Avalanche, and BNB Chain.
The hacker’s gains may be sharply limited by low liquidity, preventing most of the tokens from being tradable. Metis tweeted there is “no sell liquidity available” for the tokens minted on its network.
Yet blockchain security firms Beosin Alert and SlowMist both estimate the hacker has realized 10.1M in ill-gotten gains so far.
Bridging Risks
The incident is a reminder of the security risks associated with cross-chain bridging protocols. According to Rekt, four of the five largest DeFi exploits targeted bridges, with Ronin, Poly Network, BNB Bridge, and Wormhole losing more than $2.1B in assets combined.
Poly Network lost $611M to hackers in August 2021, comprising the largest DeFi hack on record at the time. The hacker later returned the majority of the stolen funds.
Multisig Compromised
Poly Network suspended its services and said it was in communication with both law enforcement and the centralized exchanges used by the hacker to cash out funds. “We hope that the attacker will cooperate and return the user assets to avoid any potential legal consequences,” the team said.Poly Network also urged liquidity providers and project teams for all affected tokens to withdraw liquidity from decentralized exchanges.Dedaub, a web3 security team, attributed the latest incident to a compromised 3 of 4 multisig wallet. The team chastised Poly Network for maintaining poor security practices and taking seven hours to pause the protocol after the attack.
Exploits Proliferate
According to a report from De.Fi, hackers have made off with $667M in 2023 so far, $204M of which was lost in Q2. Last quarter hosted 117 exploits or rug-pulls, 11 times that of Q1 2022 and a 150% increase compared to the previous quarter.
BNB Chain hosted more than half of the incidents with 65 hacks totaling $57.8M in losses, followed by Ethereum with 25 exploits worth $82.5M, and Arbitrum, with 10 cases amounting to $21m.
