It is a common situation in the cryptocurrency industry that funds are stolen due to hacker attacks, but the stolen amount of up to $610 million in a single time directly shocked our team.
Poly NetWork, a cross-chain interoperability protocol, was attacked by hackers last night. The hackers used the super backdoor reserved by the project party to directly steal investor funds.
The cross-chain protocol mainly supports the Ethereum blockchain, Binance Smart Chain, and its free project chain. This project is also a very well-known ecological platform in the currency circle.
However, the super-management authority reserved by the project party in the system has become a hacker’s key, and the hacker arrogantly steals investors’ locked funds.
Data on the chain showed that hackers stole $250 million, $270 million, and $85 million of encrypted assets from different chains, and these assets totaled 610 million US dollars.
The attack method may not be particularly technical, because the hacker transfers all the investors’ assets through the super-management authority reserved by the project party.
This super management authority is reserved by the project party and ignores whether the user’s assets have a lock-up period, that is, even locked assets can be transferred directly.
The entire process does not require user confirmation, which means that anyone with this super administrator authority can directly transfer user assets without verification.
The key is the private key with the authority. From the current known information, the hacker did not damage the code of the system but operated by overriding the authority.
So here comes the question: How can a hacker obtain a private key with over-control authority? Does the hacker control the administrator’s computer to steal the private key or does it mean that members of the team guard themselves and steal it?
However, before the attack occurred, no investors had questioned why the project team reserved over-control authority, which is actually equivalent to a backdoor.
The hacker who launched the attack is obviously also an expert in blockchain because the hacker has made sufficient preparations to prevent his true identity from being traced before launching the attack.
For example, in the initial deposit, hackers use the privacy encrypted currency Monero to conduct transactions, and transactions initiated through Monero cannot be viewed even if there is data on the chain.
For now, security and auditing companies are still unable to locate hackers. For investors, the assets transferred to the Poly Network for mining may not be recovered.