The beginning of August was tough for the Poly Network blockchain founders — a hacker stole more than 600 million USD in various tokens from the blockchain’s smart contract.
We tried to analyze the causes of vulnerability and how the attackers managed to steal such a large sum of money.
1. The idea behind this attack is that the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can perform certain cross-chain transactions via the _executeCrossChainTx function.
2. Since the EthCrossChainData contract is owned by the EthCrossChainManager contract, the EthCrossChainManager contract can change the contract custodian by calling the putCurEpochConPubKeyBytes function of the EthCrossChainData contract.
3. The verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute user-specified cross-chain transactions by calling the _executeCrossChainTx function internally.
Therefore, an attacker only needs to pass well constructed data through the verifyHeaderAndExecuteTx function to the _executeCrossChainTx function to call the PutCurEpochConPubKeyBytes function of the EthCrossChainData contract to change the custodian role to the address specified by the attacker.
4. After replacing the custodian address, the attacker can build the transaction he wants and withdraw any amount of money from the contract.
As a result
This attack involves the fact that the EthCrossChainData contract custodian can be artificially modified by the default EthCrossChainManager built-in contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute data sent by the user via the _executeCrossChainTx function. Consequently, an attacker uses this function to modify the EthCrossChainData contract custodian.
It’s not that this event was caused by the leak of the custodian’s private key, as the public believed at first. Based on this data, it is safe to say that there was a huge vulnerability that the network developers did not find in time.
What happened next
The developers of Poly Network insisted on blocking contracts and addresses through which the funds were withdrawn. The company that issued the Tether stablecoin blocked $33 million in funds.
The day after the theft, the attacker gradually began returning tokens to the platform. So far, more than $340 million in various tokens has been returned by the hacker, and he promises to return the rest when “all participants are ready for it”.