The biggest DeFi hack of the year! Beosin on the Poly Network Attack Full Explanation
On the evening of August 10, the public opinion monitoring of ChainBuilder — Blockchain Security Situational Awareness Platform (Beosin-Eagle Eye) showed that the cross-chain protocol Poly Network was attacked and nearly US$600 million in funds were stolen from three chains, Ethereum, BinanceChain and Polygon.
Poly Network was once considered to be the “best” cross-chain interoperability protocol on the market today for true “heterogeneous cross-chain”.
The attack first occurred on August 10 at 17:55, with hackers transferring 96.38 million USDC, 1032 WBTC and other assets from Poly Network smart contracts one after another at Ether, with a total value of over $260 million; from 18:04, with hackers transferring 85.08 million USDC from the project’s smart contracts at Polygon; and from 18:08, with hackers transferring 87.6 million USDC, 26,629 ETH and other assets from the project’s smart contracts at BSC transferred 87.6 million USDC, 26,629 ETH and other assets from from the project’s smart contracts.
This is the largest hack in the entire history of crypto, surpassing the infamous Mt.Gox incident (744,408 BTC, worth about $400 million at the time) and the 2018 Coincheck case (523 million XEM, worth about $534 million at the time). Regarding the exact cause of this incident, the Beosin technical team has been conducting real-time monitoring to track the principle and technical details of the vulnerability.
After analysis, the Beosin technical team found that the attacker took advantage of a logic flaw in the EthCrossChainManager contract to call the putCurEpochConPubKeyBytes function in the EthCrossChainData contract to change the Keeper to its own address, and then used that address to sign the transactions to extract the tokens, thus siphoning off a large amount of tokens from the LockProxy contract.
Contracts under attack.
Attack on trade.
On the BSC, the attacker first calls the verifyHeaderAndExecuteTx (0xd450e04c) function in the EthCrossChainManager contract by passing carefully constructed data. Since the verifyHeaderAndExecuteTx function calls the internal function _executeCrossChainTx and uses a call in that internal function, the attacker controls the call’s parameter _ method, successfully calling the putCurEpochConPubKeyBytes function in the EthCrossChainData contract as the EthCrossChainManager contract to change the Keeper to its own address ( 0xa87fb85a93ca072cd4e5f0d4f178bc831df8a00b). This step of the operation is to subsequently be able to obtain a transaction with a valid Keeper signature and then extract the tokens from the contract.
The above call to the attacker-constructed _method is not actually putCurEpochConPubKeyBytes, because only the function name in the call is user-controllable and the parameters are of a fixed number and type. The attacker implements the call to the putCurEpochConPubKeyBytes function in the EthCrossChainData contract by constructing the f1121318093 function with the same function signature as putCurEpochConPubKeyBytes.
After completing the modification of the Keeper, the attacker can then sign any transaction. The attacker removes all ETH, BTCB, BUSD and USDC tokens from the B contract with multiple transactions signed by a valid Keeper (after the signature has been modified by the attacker to his own address).
Since ETH and Polygon have the same code and Keeper as on BSC, the attacker, after completing the attack on BSC, replayed the previously constructed data on ETH and Polygon, modifying the Keeper on ETH and Polygon to its own address as well (0xa87fb85a93ca072cd4e5f0d4f178bc831df8a00b).
Then using the same attack technique, all of the ETH, USDC, WBTC, UNI, DAI, SHIB, WETH, FEI, USDT and renBTC in the D contract and all of the USDC in the F contract were taken out.
Attackers return USD 1.01 million at Polygon.
The main reason for this attack is that there is a problem with the contract permission management logic. Any user can call the verifyHeaderAndExecuteTx function to execute a transaction, and when making a call inside it, the function name can be controlled by the user, and a malicious user can call part of the function through an elaborate data exception. Also the EthCrossChainManager contract has permission to modify the Keeper, normally through the changeBookKeeper function, but in this attack the attacker is successfully modifying the Keeper through the call call in the verifyHeaderAndExecuteTx function via the carefully constructed data The Keeper address, which in turn could sign the transaction, resulted in the most damaging attack since Defi’s inception.
Possibly due to pressure from multiple parties, the hackers who attacked Poly Network began to return assets, having returned 10,100USDC on Polygon in block 17862254 and 1 million USDC on Polygon in block 17862497.
Beosin would like to remind developers that when using call calls, they need to pay particular attention to cases where the parameters are user controllable, and some special contracts and functions need to be strictly controlled for permissions to avoid irreparable damage caused by abnormal calls.