Poly Network Hack
Incident Overview
Poly Network, a crosschain bridge, suffered an exploit leading to a loss of 5,196.95 $ETH, equivalent to 10,201,612 $USD.
The Poly Network suffered an attack via access control, where the exploiter was able to generate signatures possibly using the project's wallets, and drained significant amounts of various assets in multiple chains, including Ethereum, Binance Smart Chain, Avalance, and Metis.
After the first distinct attack, the exploiter was able to swap a large amount of $SHIB and other liquid assets for ETH and drain $USDC and $USDT in the other two attacks, which were then swapped for ETH. In total, the exploit resulted in the theft of 5,196.95 $ETH, equivalent to around 10,201,612 $USD.
The stolen assets were not only in ETH but also included non-liquid ERC20 tokens. The total stolen assets worth across several chains was approximately way more than the actual funds lost, but attackers were unable to cash out the cause of low liquidity. However, 18,444,696 $USD worth of tokens were distributed between 17 EOA addresses, along with 1 $ETH each, for possible future cash out.
Attacker Addresses:
- https://etherscan.io/address/0xe0Afadad…8Ba599
- https://etherscan.io/address/0x8E000196…255b2E
- https://etherscan.io/address/0xdddE20a5…bC5886
Significant Funds Holders:
- https://etherscan.io/address/0x2f6c25e3…a57b82 holds 1,557.36 $ETH
- https://etherscan.io/address/0x3d66756B…9E7047 holds 1,371.64 $ETH
- https://etherscan.io/address/0x23f4ca51…4cc671 holds 1,500 $ETH
- https://etherscan.io/address/0xfd3e731a…22b778 holds 300 $ETH
- https://etherscan.io/address/0xc8ab4aa9…38c42f holds 440 $ETH
- https://etherscan.io/address/0xe0Afadad…8Ba599 holds 11.95 $ETH and 814,763 $USD worth of non-liquid ERC20 tokens
Malicious Transaction Examples:
https://etherscan.io/tx/0xe280153a…4776da
https://etherscan.io/tx/0x0a751cae…99263d
https://etherscan.io/tx/0x3a6e5d7e…90f993
Minor funds holders are:
- https://etherscan.io/address/0xb5a3e49c…d8913a: 3,088,065 $USD worth of $COW tokens
- https://etherscan.io/address/0x1417ba04…bbe729: 1 $ETH and 1,900,551 $USD worth of $XTM tokens
- https://etherscan.io/address/0x38aD785a…8fD913: 1 $ETH and 2,638,524 $USD worth of $OOE tokens
- https://etherscan.io/address/0x211AE110…218D12: 1 $ETH and 2,251,610 $USD worth of $Metis tokens
- https://etherscan.io/address/0x9E98612E…56F89b: 1 $ETH and 1,684,974 $USD worth of $STACK tokens
- https://etherscan.io/address/0xf3066df0…b0eb8a: 1 $ETH and 1,531,034 $USD worth of $NEST tokens
- https://etherscan.io/address/0x8d62f78a…6b3573: 1 $ETH and 978,723 $USD worth of $SLD tokens
- https://etherscan.io/address/0x8D72F959…2446a7: 1 $ETH and 517,760 $USD worth of $REVO tokens
- https://etherscan.io/address/0x5979fbfe…87A9f9: 1 $ETH and 745,726 $USD worth of $8PAY tokens
- https://etherscan.io/address/0x9D8195f3…831d66: 1 $ETH and 658,541 $USD worth of $CWS tokens
- https://etherscan.io/address/0xe5fa7E2A…2dDAb9: 1 $ETH and 11,000,000 $SPAY tokens
- https://etherscan.io/address/0xbCAC1C15…544eb6: 1 $ETH and 317,616 $USD worth of $RPG tokens
- https://etherscan.io/address/0x6893D0DE…6B67a5: 1 $ETH and 311,356 $USD worth of $GM tokens
- https://etherscan.io/address/0x21f1628F…057118: 1 $ETH and 289,360 $USD worth of $MIX tokens
- https://etherscan.io/address/0xbf6302Cb…Ca4aE6: 1 $ETH and 261,714 $USD worth of $AXL tokens
- https://etherscan.io/address/0x85ef2355…99bB60: 1 $ETH and 168,927 $USD worth of $DOV tokens
- https://etherscan.io/address/0xB69F28D8…B855e9: 1 $ETH, 142,767 $USD worth of $FEI and 142,685 $USD worth of $TRIBE tokens
Incident Report
Protocol Information
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to Poly Network, these are the critical security checks that could have prevented this incident (July 2023).
- Verify all logic paths related to Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialRelated Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
Learn to Prevent the Next Poly Network
The Poly Network hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.