← Back to Hack Archive

Poly Network Hack

August 10, 2021$611 millionCross-Chain VulnerabilityMultiple (Ethereum, Binance Smart Chain, Polygon)

The Story

On August 10, 2021, an attacker exploited a vulnerability in Poly Network's cross-chain protocol, stealing approximately $611 million in various cryptocurrencies across Ethereum, Binance Smart Chain, and Polygon networks. This instantly became the largest DeFi hack in history at the time.

In a surprising turn of events, the attacker opened communications with the Poly Network team through on-chain messages. They claimed to have hacked "for fun" and to expose the vulnerability before someone with malicious intent could exploit it. Over the following days, the hacker began returning the funds in batches and eventually returned all the stolen assets.

The Poly Network team dubbed the hacker "Mr. White Hat" and even offered them a $500,000 bounty and a position as Chief Security Advisor, which the hacker initially declined but later accepted in part.

Technical Analysis

The Poly Network hack exploited a vulnerability in the cross-chain bridge's contract logic. The core vulnerability was in the verifyHeaderAndExecuteTx function that handled cross-chain transactions:

function verifyHeaderAndExecuteTx(bytes memory proof, bytes memory rawHeader, bytes memory headerProof, bytes memory curRawHeader,bytes memory headerSig) public returns (bool) {
    // ... code omitted for brevity
    
    require(_executeCrossChainTx(toMerkleValue.fromContract, toMerkleValue.toChainId, toMerkleValue.toContract, toMerkleValue.method, toMerkleValue.txData), "execute CrossChainTx failed!");
    
    // ... code omitted for brevity
}

The key vulnerability was in the _executeCrossChainTx function, which failed to properly validate that calls to the EthCrossChainManager contract came from legitimate sources. The attacker was able to:

  1. Call the function with specially crafted parameters
  2. Trick the cross-chain bridge into executing arbitrary instructions
  3. Modify crucial access control parameters
  4. Call functions to withdraw tokens to addresses they controlled

In essence, the hacker exploited a privilege escalation vulnerability that allowed them to become the "keeper" of the contracts and execute transactions with administrative privileges.

Lessons Learned

  1. Cross-chain protocols must implement rigorous security checks and validations
  2. Critical contract functions should have multiple authorization layers
  3. Public-facing functions need comprehensive input validation
  4. Key management systems should be designed with zero-trust principles
  5. Emergency response plans are essential for rapid reaction to exploits