Poly Network Attack Conjures Billions of Dollars in Tokens That 'Did Not Exist'

Poly Network was hacked over the weekend, falling victim to an attacker that used the interoperability platform to issue billions of tokens out of thin air.

The attacker found a vulnerability in Poly Network’s cross-chain bridge tool that apparently allowed them to create massive amounts of tokens that “did not exist before,” said 3z3 Labs founder Arhat on Twitter.

Acknowledging that its platform had been attacked, Poly Network informed users on Sunday that its services had been suspended. Additionally, the platform said that it was assessing the scope of the attack and the assets impacted.

“Please remain calm,” Poly Network said. “We are committed to safeguarding your assets.”

The hacker’s digital wallet held nearly $43 billion worth of cryptocurrency at one point after the hack, according to DeBank, the decentralized finance portfolio tracker. The figure was affirmed in a post shared PeckShield, the blockchain data and security firm.

Bridges are an important part of Web 3’s ecosystem, allowing users to move assets from one network to another. Users who lock up tokens on one chain are issued an equal amount on another.

Bridges have historically been a lucrative target for hackers, however.

On the layer-2 network Metis, attackers issued themselves nearly 100 million of BNB and $10 billion of the Binance-branded stablecoin BUSD as part of the Poly Network attack, according to Chinese crypto journalist Colin Wu.

Nearly 100 trillion of Shiba Inu, the dog-themed meme coin, was issued on the network Heco. A significant amount of altcoins were also issued on Polygon and Avalanche.

Metis said that the BNB and BUSD tokens issued by hackers on its network are effectively useless because “there is no sell liquidity available,” preventing any gains from being realized. The tokens have been locked by Poly Network as well, Metis said.

3z3 Labs’ Arhat acknowledged that the overall Poly Network attack was somewhat stifled due to lackluster liquidity, which prevented any ill-gotten gains on Metis, but not on other networks like Ethereum, where stolen tokens were swapped on decentralized exchanges.

“Despite the magnitude of this hack, the hacker was only able to convert a small portion of these tokens,” he said, estimating the attacker walked away with $400,000 worth of crypto. “Everything else had no liquidity and were essentially worthless.”

The blockchain security firm SlowMist said the attacker’s total gains were higher. Over $4 million worth of digital assets from the hack has been “cashed in,” the firm said. This includes over 1,500 Ethereum worth $3 million and 93 billion SHIB worth $700,000.

Though Poly Network’s name is less well known, the platform made headlines in 2021 after a historic attack, the largest exploit in decentralized finance at the time. Even now, plugging Poly Network into a Google search returns the infamous attack’s date.

Poly Network lost $600 million in the attack, which saw funds across on Ethereum, Binance Smart Chain, and Polygon siphoned away. Poly Network moved to repay users who lost funds after the hacker returned $342 million worth of stolen crypto.

According to messages included in Ethereum transactions, the attacker from 2021 said the heist was simply “for fun” and that returning the stolen crypto was “always the plan.” They eventually returned nearly all of the stolen funds.

While this weekend’s hack of Poly Network pales in comparison to the project’s previous $600 million lesson, the event undoubtedly raises questions about the platform’s security moving forward—and whether any stolen crypto will come back to the platform and its users this time.