In July 2023, Poly Network experienced another major hack. The attacker exploited a vulnerability in the project’s smart contracts to mint tokens worth an estimated $43 billion dollars.
Inside the Attack
The Poly Network hack exploited a vulnerability in the Poly Network smart contracts. It’s believed that the attacker was able to create a malicious parameter, including a fake block header and validator signature. This exploit allowed the attacker to bypass the bridge’s validation process and withdraw tokens from the bridge to their own address.
The end result was that the attacker was able to withdraw assets from the bridge contract that didn’t actually exist. The attacker performed this attack using 57 different crypto assets across 10 different blockchains. In total, their account held an estimated $43 billion in stolen assets.
However, having this balance didn’t mean that the attacker was able to withdraw it. In fact, limited liquidity meant that the attacker was able to steal an estimated $10 million from the protocol.
Lessons Learned from the Attack
Verification bypasses are a common attack vector for cross-chain bridges. In recent bridge hacks such as the Qubit, Meter.io, and Wormhole bridges, attackers identified vulnerabilities in transaction validation that enabled them to get malicious transactions approved.
Identifying vulnerabilities in bridge smart contracts before launch is essential to protecting against these high-value attacks. To learn more about protecting your bridge contracts, get in touch with Halborn.