July 04, 2023
Following Poly Network Attack: Beosin KYT/AML Keeps Tracing Stolen Funds and Unveils Hackers' Tactic
According to Beosin EagleEye security risk monitoring platform, on July 2, the Poly Network cross-chain bridge was suspected of being attacked due to a potential compromise of private keys or a multi-signature service attack. The hacker has exploited forged proofs to initiate withdrawal operations on the cross-chain bridge contracts across multiple chains.
It is not the first time that Poly Network got attacked. As early as August 10, 2021, Beosin EagleEye showed that Poly Network was attacked and nearly 600 million dollars in funds were stolen from the three chains of Ethereum, BSC, and Polygon.
This incident of the year also became the security incident with the largest amount of loss in 2021. Two years ago, the attacker used the logic flaw in the EthCrossChainManager contract to call the putCurEpochConPubKeyBytes function in the EthCrossChainData contract to change the Keeper to the hacker address and then used the address to sign the transaction of withdrawing tokens, thereby withdrawing a large number of tokens in the LockProxy contract. However, under the pressure of many parties, the attacker finally chose to return the stolen assets.
This time, how did the hacker attack Poly Network and deal with the stolen funds? The details are as follows.
Take the attack address 0x906639ab20d12a95a8bec294758955870d0bb5cc as an example:
Firstly, the attacker called the lock function on the LockProxy cross-chain bridge contract to lock a small amount of Lever Token.
The toChainId 6 corresponds to the BNB chain, which can be viewed at https://explorer.poly.network. If a transaction is visible on the Poly Network explorer, it indicates that it has been validated through the relay chain.
Switching to the BNB chain, the attacker used the verifyHeaderAndExecuteTx function to initiate withdrawal operations, but the quantity involved does not match the original lock amount.
However, upon querying the relay chain network, no record of this transaction was found.
There is now reason to suspect that either the signatures have been leaked or the keepers have been modified.
Keepers are responsible for signing user withdrawals, so controlling a keeper would allow the attacker to initiate withdrawals with forged signatures. The attack on Poly Network in 2021 was caused by hackers using the attack to modify the keeper.
Upon analyzing the attacker's use of the verifyHeaderAndExecuteTx function for withdrawal operations, it was found that the keepers have not been modified.
Now, there is reason to believe that three keepers (0x4c46e1f946362547546677bfa719598385ce56f2, 0x51b7529137d34002c4ebd81a2244f0ee7e95b2c0, 0x3dfccb7b8a6972cde3b695d3c0c032514b0f3825) may have suffered private key compromise or a multi-signature service attack.
At the same time, according to Beosin KYT/AML, the hackers called the contract of Poly Network through a batch of addresses and used the loopholes in the two functions of UnlockEvent and verifyHeaderAndExecuteTx in the contract to attack the project party and transfer funds to your deposit address.
The fund flow
On the Ethereum
The addresses calling the attacked contract obtained gas fees through a common address.
Transactions to distribute fees
The address(0x0dfeb429166e629204aca66467484cd88cb9701c) to distribute fees obtained the fee through an exchange called FixedFloat.
There are three sources of fees in total for the hackers' consolidated address.
1. A fee comes from Tornado.Cash
The fee for the consolidated address 0xe0afadad1d93704761c8550f21a53de3468ba599
2. Through Bybit, it flows into the address through a layer of transit.
The address to transfer fees: 0x4FbC021742A4664D1cf8e9d2730b8519B9Dcc523
3. Use the stolen assets to swap for ETH as fees
There are two hacker addresses that swap the stolen USDT/USDC into ETH in DEX, and then use it as fees for subsequent addresses. The following are the initial fee transfer and hashes of the two addresses.
Hacker address 1: 0xdddE20a5F569DFB11F5c405751367E939ebC5886
Fee transfer address: 0xD475747a4937a66Cc7D4a2c7eA7F6e827D0f7390
Transaction hash: 0x853b75b1b8a7f56c51fcba9b996af8d132b784cfa0da7162c20a48a5994d8a06
Hacker address 2: 0x8E0001966e6997db3e45c5F75D4C89a610255b2E
Transaction hash: 0x0f3cf1fe16052223e091e87c2a6f7a9a94e53a565dfac7b83eb0b9b79458ad8f
On the BSC chain
The address(0x1634Bf68e6b3Bb8D79388EfB3d1A5215506FBbEd) to distribute fees
The address to distribute fees obtained fees and distributes them through Kucoin and ChangeNow exchanges.
There is no fee for the consolidated addresses.
On the Polygon chain
The address(0x09F92eDce2E46C399BFE7881a7619598AF8436d5) to distribute fees
The address calling the attacked contract obtained fees through a common address.
This address gets the transaction fee through the FixedFloat exchange.
Transaction hash: 0xc7a25eb840718028c0d8f402d1293dcb479755d77609a7dfb616c10e90176dec
The source of the hacker's consolidated addresses' fees is 0x09F92eDce2E46C399BFE7881a7619598AF8436d5。
Beosin KYT/AML keeps tracing the flow of funds
On the Ethereum
Beosin KYT/AML tracked and found that the stolen funds on the ETH chain are as follows:
First, the hacker called the attacked contract through a batch of addresses to exploit the vulnerability, using a total of 20 addresses.
The fees of these 20 addresses all came from the address 0x0dfeb429166e629204aca66467484cd88cb9701c, and the fees of this address were transferred in through Fixedfloat.
The hacker called LOCK in the Poly Network contract, locked the funds, and then called the two functions of UnlockEvent and verifyHeaderAndExecuteTx to attack the project. The case is as follows:
It can be seen that in the UnlockEvent, the variable toAddress has become the hacker consolidated address, and the amount has also been modified to the amount of stolen funds (1,592.51818168432 ETH here).
From here, we can see that the Proof item in the input data has been replaced with the content containing the hacker consolidated address.The fee of the hacker’s address involved in the case is mainly obtained from five ways:
1. Transfer to ETH through Tronado.cash
2. Transfer to ETH through Bybit exchange
3. Transfer to ETH through KuCoin Exchange
4. Transfer to ETH through the FixedFloat exchange
5. Using stolen ETH
Hackers began to attack on July 1, 2023. Up to now, only some virtual currencies have been exchanged for ETH through Dex and ETH and some other virtual currencies have been transferred to other addresses.
On the BSC chain
The flow on the BSC chain is similar to that on the Ethereum. The hacker continued to use some of the same addresses for the stealing operation, and used the contract bugs to transfer the assets to the hacker’s addresses.
First, the hacker called the attacked contract through a batch of addresses to exploit the vulnerability, using more than 30 addresses.
The fees of these addresses all came from the address 0x1634Bf68e6b3Bb8D79388EfB3d1A5215506FBbEd and the fee of this address was transferred through the Kucoin and ChangeNow platforms.
Then, by using the same vulnerability to attack the contract, the stolen funds were transferred to the hacker address, and then part of the funds were transferred to multiple consolidated addresses.
On the Polygon chain
The flow on the Polygon is similar to that on the Ethereum and BSC. Hackers continued to use some of the same addresses to carry out the stealing operations, and used contract bugs to transfer assets to the hacker’s addresses.
First, the hacker called the attacked contract through a batch of addresses to exploit the vulnerability. The hacker only used one address 0x09F92eDce2E46C399BFE7881a7619598AF8436d5 and the fee was transferred through Fixedfloat.
Then, by using the same vulnerability to attack the contract, the stolen funds were transferred to the collection address, and then part of the funds were transferred to multiple consolidated addresses.
Currently, the Beosin security team is working with Poly Network to deal with this security incident and the latest progress will be shared with you as soon as possible.
Beosin is a leading global blockchain security company co-founded by several professors from world-renowned universities and there are 40+ PhDs in the team. It has offices in Singapore, Korea, Japan, and other 10+ countries. With the mission of "Securing Blockchain Ecosystem", Beosin provides "All-in-one" blockchain security solution covering Smart Contract Audit, Risk Monitoring & Alert, KYT/AML, and Crypto Tracing. Beosin has already audited more than 3000 smart contracts and protected more than $500 billion funds of our clients.
If you need any blockchain security services, welcome to contact us:
Related Project Secure Score
Guess you like
H1 2023 Global Web3 Security Report, AML Analysis & Crypto Regulatory Landscape (Text Version)
July 04, 2023
Blockchain Security Monthly Recap of June: $95.18M lost in attacks
July 10, 2023
Web3 User Security Guide | How to Identify Crypto Ponzi and Pyramid Schemes?
July 24, 2023
Paris: A Moveable Feast for Cryptocurrencies
July 25, 2023