Further details are coming to light following a July 2 attack on cross-chain bridge platform Poly Network, which has resulted in a hacker being able to issue billions of tokens out of thin air for profit.
In a July 2 Twitter post, Poly Network confirmed it became the latest DeFi exploit victim after attackers managed to manipulate a smart contract function on the cross-chain bridge protocol, adding it will be temporarily suspending services.
In the most recent update, the team revealed the exploit affected 57 crypto assets on 10 blockchains — including Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKx, and others such as Metis.
It did not specify how much was stolen in the attack but Peckshield earlier reported that the exploiter had transferred at least $5 million worth of crypto out.
“We have already initiated communication with centralized exchanges and law enforcement agencies and sought their assistance,” the team stated in a July 3 update.
It also advised project teams and token holders to withdraw liquidity and unlock their LP (liquidity provider) tokens.
DeFi security analyst @0xArhat said the exploit was a result of a smart contract vulnerability that allowed the hacker to “craft a malicious parameter containing a fake validator signature and block header.”
This was accepted by the smart contract enabling the hacker to bypass the verification process allowing them to issue tokens from Poly Network's Ethereum pool to their own address on other chains, such as Metis, BNB Chain, and Polygon.
The process was repeated for other chains enabling the token stash to pile up.
At one point the hacker’s wallet held around $42 billion worth of tokens but was only able to convert and steal a fraction of them, said the analyst.
Th
Read more on cointelegraph.com