The source of the biggest DeFi hack of the year, Poly Network, has been found
Beosin has found the source of the attack on Poly Network after an in-depth analysis. The cross-chain transaction corresponding to this transaction was sent from the transaction starting with f771ba on the native chain, and located to the attacker’s address starting with AM2W2L on the native chain. After the attacker makes an attack attempt on the ONT chain and finds that it is effective, he initiates a cross-chain message to change the Keeper in bulk to multiple chains through this transaction with the address starting with f771ba, and then the relayer of the BSC chain starting with 0xa0872c79 takes the lead in processing the cross-chain transaction and sets the Keeper to the address starting with 0xa87 specified by the attacker. The attacker then replayed the valid signatures used by the relayer of the BSC chain on both Ethereum and Polygon chains. after the Keeper address was changed to his own, the attacker used his own controllable Keeper to initiate the coin withdrawal transaction and transferred the assets in the cross-chain pool. The success of this attack indicates that PolyNetwork has a flaw in the verification of cross-chain transaction events, resulting in malicious cross-chain messages being received and the operations specified in the cross-chain messages being performed on the corresponding chain.