The Poly Network cyberattack saga has dragged into its second week with the hacker or hackers yet to provide the key for the multi-signature wallet needed to complete the full return of the roughly $600 million that was stolen, with the exception of the $33 million worth of the stablecoin USDT that was frozen by Tether.
- China-based Poly Network had previously offered $500,000 to the attacker or attackers as a reward for returning the money taken on the Binance Smart Chain (BSC), Ethereum and Polygon platforms in what is likely the largest-ever hack of a decentralized finance (DeFi) site.
- The hack or hackers acknowledged receiving the offer and initially said they had declined it, but had instead begun (and eventually completed) returning the stolen funds to a multi-signature wallet set up by Poly Network. The hacker or hackers haven’t turned over the final key for the wallet, though.
- In a message posted to the Ethereum blockchain at 1:45 p.m. UTC on Monday, the attacker, who the Poly Network is calling “Mr. White Hat” but who some others doubt is a true white hat hacker, said that they were considering taking the bounty and using it to reward anyone else who can hack the cross-chain platform. A “white hat” attacker is one who tries to exploit vulnerabilities in a protocol to help expose and ultimately fix bugs or loopholes in the underlying code.
- ”MONEY MEANS LITTLE TO ME, SOME PEOPLE ARE PAID TO HACK, I WOULD RATHER PAY FOR THE FUN,” the attacker or attackers wrote. “IF THE POLY DON’T GIVE THE IMAGINARY BOUNTY, AS EVERYBODY EXPECTS, I HAVE WELL ENOUGH BUDGET TO LET THE SHOW GO ON.”
- ”I TRUST SOME OF THEIR CODE, I WOULD PRAISE THE OVERALL DESIGN OF THE PROJECT, BUT I NEVER TRUST THE WHOLE POLY TEAM,” the attacker added.
- ”I WILL PROVIDE THE FINAL KEY WHEN _EVERYONE_ IS READY. MY IDEA IS NOT CHANGED, BUT I DO WORRY IT MIGHT BE AN ENDLESS WAR. SO I MIGHT RELEASE IT EARLIER AS LONG IF THE COMMUNITY UNDERSTANDS EVERYTHING.”
- In an email to the media on Tuesday at 10:25 a.m. UCT, Poly Network said that it has completed the second phase of its “Mainnet Upgrade” in response to the attack, and has maintained daily contact with the attacker to update him or her on their progress. “We have made constant efforts to establish an understanding with Mr. White Hat and genuinely hope that Mr. White Hat will transfer the private keys as soon as possible so that we can return full asset control back to the users at the earliest.”
- Poly Network also said it is counting on “experts” like the attacker to help improve the security of its network, and with that in mind, was inviting him or her to become Poly Network’s Chief Security Advisor.
- Poly Network reiterated that it has no intention of holding the attacker legally responsible, and that its offer to reward Mr. White Hat with a $500,000 bug bounty still stood, despite the attacker considering using the funds to reward others who are able to hack the Poly Network. “We fully respect Mr. White Hat's thoughts, and to express our gratitude, we will still transfer this $500,000 bounty to a wallet address approved by Mr. White Hat for him to use it at his own discretion for the cause of cybersecurity and supporting more projects and individuals,” the Poly Network said. “Whatever Mr. White Hat chooses to do with the bounty in the end, we have no objections.
- Poly Network also joined Immunefi in offering a separate bug bounty of $100,000 for finding critical vulnerabilities in its network, with a total bounty pool of $500,000 for security researchers and white hats who submit valid bugs.
UPDATE (August 17, 12:46 UTC): Updated with information about Poly Network’s latest response to the attack in bullet points seven, eight, nine and ten.