Blockchain platform Poly Network has fallen victim to what is likely to be the largest cryptocurrency heist in history, with hackers making away with over $610 million (£440 million) worth of Ether, Binance, and USDC tokens.
The attack, which took place on Tuesday, saw cyber criminals exploit a vulnerability in Poly Network’s contract system, with the company confirming the news on its Twitter account.
Hours later, the blockchain platform announced that it had “located the cause of the vulnerability” following a “preliminary investigation”.
“The hacker exploited a vulnerability between contract calls, exploit was not caused by the single keeper as rumoured,” the company stated.
Cyber security researchers from SlowMist, which focuses on blockchain ecosystem security, said that the hacker took advantage of the _executeCrossChainTx function in order “to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract”.
SlowMist researchers denied that the attack might have been caused by a stolen password, in a blog post detailing the attack.
“It is not the case that this event occurred due to the leakage of the keeper’s private key,” the team stated.
How to reduce the risk of phishing and ransomware
Top security concerns and tips for mitigation
Poly Network seemed to agree with SlowMist’s analysis by sharing the blog post with its Twitter followers. It also urged the hackers to “establish communication” to return the stolen $600 million worth of digital tokens in an open letter:
“The amount of money you have hacked is one of the biggest in defi [decentralised finance] history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. The money you stole are [sic] from tens of thousands of crypto community members, hence the people. You should talk to us to work out a solution,” the company said in the note.
By 1pm BST, it also confirmed that the hackers had so far returned $4.7 million (£3.4 million) worth of digital currency.
Poly Network also asked “miners of affected blockchain and crypto exchanges to blacklist tokens” associated with the following address: BSC:0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71.
Prior to Tuesday’ hack, the attack on cryptocurrency exchange and wallet Coincheck in 2018 was seen as the largest cryptocurrency heist to date. However, the amount stolen from Poly Network is around $80 million higher than the $532 million plundered from Coincheck.
Poly Network wasn’t immediately available for comment.
