On July 2, the DeFi Poly Network project faced a major hack in which an attacker was able to fabricate billions of digital coins on various blockchains.
The hacker used a loophole in the bridge protocol to produce BUSD, BNB and SHIB tokens on several blockchains, such as Ethereum, BNB Chain, Polygon, Avalanche, Heco and Metis. 24 billion BUSD and BNB were issued on Metis and 999 trillion SHIB were generated on Heco. The estimated profits of the hacker were between $400k and $4m.
Following the discovery of the exploit, Poly Network shut down services to users and sought help from centralised exchanges as well as law enforcement agencies. It also advised cryptocurrency holders to withdraw liquidity and unlock the LP tokens they had provided in advance.
0xArhat, who is a security analyst for DeFi projects, tweeted that the exploit was caused by a smart contract vulnerability. The attacker was able to generate a fake validator signature and block header, allowing him to bypass the validation stage. He then began issuing tokens from the Poly Network ether pool and transferring them to his personal wallet on the Metis, BNB Chain and Polygon blockchains.
The same process continued, resulting in the accumulation of a large amount of crypto-assets. According to the expert, the hacker had at least $42 billion of these digital assets in his wallet, but he only managed to get rid of some due to lack of market interest.
This is not the first attack Poly Network has faced, with around $611 million being stolen in August 2021. Fortunately, the hacker responsible managed to recover all the crypto-assets. In response, the company teamed up with Immunefi to implement a vulnerability detection programme.
