- Poly Network bridge has been hacked again for the second time in 2 years.
- Despite the minting of billions of tokens, liquidity is unavailable to move all the funds.
Leading Decentralized Finance (DeFi) platform Poly Network has once again been exploited. This time around, the bad actor issued billions worth of numerous tokens including the dog-themed Shiba Inu (SHIB), Binance USD (BUSD), and BNB (BNB).
The attack which occurred on different blockchains was perpetrated in the early hours of Sunday, July 2nd. To carry out the attack, the bad actor exploited a smart contract function on Poly Network’s bridge tool.
Generally, bridges are designed to allow users to swap their tokens between different blockchains with the help of smart contracts. This is simply carried out by locking value on one network and releasing it on another. It is believed that the Poly Network hacker applied this strategy to manipulate the protocol and deceive it into issuing tokens to a network that does not exist.
Precisely, the Poly Network hacker minted 24 billion BUSD and BNB on the Metis blockchain, and 999 trillion SHIB on the Heco blockchain.
A handful of other tokens were also minted on other networks like Avalanche (AVAX) and Polygon (MATIC). Altogether, the attacker’s wallet held about $42 billion worth of crypto assets after the attack. Immediately after the hack, Metis developers attested to the fact that there was no “sell liquidity available” for the BNB and BUSD. Hence, the hacker was not able to monetize his loot due to a lack of liquidity.
Lack of Liquidity Poses Threat to Poly Network
As a strategy to minimize the impact of the attack, Metis clarified that all METIS tokens which were illicitly derived from Poly Bridge have been locked on BNB Chain by Poly Network. But this was not the case with other blockchains. The bad actor found liquidity for other illegally minted tokens and was able to successfully swap them for Ethereum (ETH).
According to blockchain analytic platform Lookonchain, about 94 billion SHIB tokens were swapped for 360 ETH, 495 million COOK for 16 Ether, and 15 million RFuel for 27 ETH.
Cumulatively, the swapped tokens are worth around $1.22 million. Commenting on the event, Lookonchain noted that it noticed that the hacker(s) were transferring assets in ETH to new wallets, most likely for sale.
Crypto tracking platform MistTrack has published a statement that attests to the fact that the attacker has cashed out $4.39 million worth of cryptocurrencies. So far, the hacker has utilized crypto exchanges and mixers to transfer funds. Based on MistTrack’s analysis, platforms like KuCoin, Tornado Cash, Uniswap, PancakeSwap, FixedFloat, ChangeNOW, Wing, OpenOcean, etc. were used to move the funds.
Markedly, the cross-chain DeFi platform was previously hacked on Tuesday, August 10th, 2021 and the hacker made away with over $600 million in crypto at the time. Most of the siphoned assets were USDC, Wrapped Bitcoin, Wrapped Ether, and Shiba Inu. At that time, the hacker entered a negotiation with the Poly Network team and eventually refunded all of the stolen funds, the first of such gestures in the Web 3.0 world.
