According to Poly Network, a total of $260 million stolen cryptocurrency assets has been returned by the hacker yesterday. The company announced this on its Twitter feed.
After returning the money, the hacker surprisingly conducted a question-and-answer session detailing how the initial hack went down.
Poly Network suffered a major exploit on Tuesday that saw assets removed from the Ethereum, Binance Chain and the Polygon network. According to Poly Network a total of $613.3 million was stolen making it the largest DeFi exploit to date.
According to Poly Network, the hacker returned $3.3 million on the Ethereum blockchain, $256 million on the Binance Smart Chain (BSC) and $1 million on the Polygon network, making it a total of $260.3 million returned. The remaining amount includes $269 million on the Ethereum blockchain and $84 million on the Polygon network.
According to slowmist.medium who did an analysis on the attack, they found the cause of the vulnerability on the network stating “This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function. Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract. It is not the case that this event occurred due to the leakage of the keeper’s private key.”
Poly Network also gave a similar explanation for why the hack happened stating, “after preliminary investigation, we located the cause of vulnerability. The hacker exploited a vulnerability between contract calls, exploit was not caused by the single keeper as rumoured.”
The hacker, as mentioned earlier, engaged in a Q&A session and answered a few questions related to the hack. See images below for the transcript of the session.
Bottomline
The hacker has also expressed intentions to return the stolen funds on multiple occasions. This has led to suggestions that it may have been a white hat hack to teach Poly an expensive lesson about its security flaws.
However, Tom Robinson, the chief scientist at blockchain analytics firm, Elliptic had a different view as he told Forbes, “demonstrates that even if you can steal crypto-assets, laundering them and cashing out is extremely difficult due to the transparency of the blockchain.”