How did the PolyNetwork hacker steal 600 million dollars? Security experts point fingers

Soon

  • PolyNetwork has stolen more than $ 600 million in digital assets.
  • Security experts are still trying to piece together what happened.

More than seven hours after its first report, details about an exploit that generated $ 600 million in PolyNetwork digital assets have been slow to emerge. In the absence of a full audit, cybersecurity groups have uttered a common refrain from programmers behind cross-chain compatibility network: that’s up to you.

funds linked to the attack were traced to three different addresses, one on each Ethereum, Binance Smart Chain, and Polygon.

As for the chain of events that led to the poorly generated funds there, security experts have different opinions, with some going as far as accusing their colleagues of misleading the public.

According to an initial analysis by Chinese security auditor BlockSec, which warned that it has not yet been verified, the theft could be the result of “either the loss of the private key used to sign the inter-chain message” or “an error in the process. PolyNetwork signature code that was used to sign an elaborate message ‘.

Other researchers have also hinted that poor security practices may have led to the theft of private keys used by the PolyNetwork team to authorize transactions.

Mudit Gupta, Ethereum developer and security researcher wrote that PolyNetwork uses a multi-signature wallet for transactions. In its configuration, four people have access to the key to sign transactions and three have to sign: ” attacker took at least 3 gatekeepers and then used them to turn the gatekeepers into a single gatekeeper.” In fact, the hacker blocked them. (Gupta initially thought Poly used a 1/1 multigroup.)

SlowMist Blockchain security team says that’s not exactly what happened. Instead, he says, the attacker took advantage of a flaw in a smart contract feature to change its gatekeeper, redirecting the flow of funds to the attacker’s direction. “It is not the case that this event occurred due to the loss of the custodian’s private key,” it is reported.

PolyNetwork retweeted the blog post, while Gupta disagreed with SlowMist, suggesting severe impotence or corruption.

Either SlowMist is in bed with Poly Network or they are very incompetent.

y accidentally forgot to mention that all data entered by the user MUST be signed by the holders. attackers managed to steal the guardians’ pvt keys or trick them into signing malicious data. https://t.co/2ziQaoCcd1

– Mudit Gupta (@Mudit__Gupta) August 10, 2021

Regardless of whether the attacker obtained private keys or exploited a weak smart contract, one way to do either of these things is to be in command. But was it an inside job? After all, according to blockchain analytics firm CipherTrace, so-called carpet pulls, a type of exit scam, were the most popular form of crypto fraud last year.

It’s too early to tell. SlowMist says it “captured the attacker’s mailbox, IP and device fingerprints through on-chain and off-chain monitoring and is monitoring possible identity leads related to the Poly Network attacker.” But his investigation has yet to lead to a Poly executive in possession of a smoking gun. (Or, if it is, SlowMist doesn’t say so yet.)

1) @ PolyNetwork2 cross-chain interoperability protocol was attacked and a total of more than $ 610 million was transferred to 3 addresses. impact resulted in the transfer of large assets from the O3 Swap cross-chain group.

– SlowMist (@SlowMist_Team) August 10, 2021

Meanwhile, it is unclear whether the attacker will be able to use the funds. PolyNetwork also asked “miners interested in the exchange of blockchains and cryptocurrencies to include tokens in the black list” of the addresses of the exploiter. In response, Tether said it froze $ 33 million in USDT related to the attack, while executives at Binance, OKEx, and Huobi pledged to limit the damage.

hacker, however, took one to cast insults from the Ethereum blockchain, adding messages to the blocks. “AND IF I MAKE A NEW SHEET AND LET THE DAO DECIDE WHERE THE SHEETS GO”, they wrote in a Message.

Maybe, but maybe someone else should write smart contracts for it.

Source link

moreRead also Senator invests in Bitcoin, yearn.finance becomes multi-chain, new FTX announcement + more news

Related Posts

© 2024 Cryptocoin Budisma.net