Attacker exploited a flaw in Poly Network's cross-chain contract to override keeper role and transfer assets.
The attacker discovered a vulnerability in Poly Network's EthCrossChainManager contract that allowed them to pass a crafted transaction to change the keeper address to their own. By exploiting the _executeCrossChainTx function, they replaced the legitimate keeper with their address across Ethereum, BSC, and Polygon, then drained all funds.
In an unprecedented move, the attacker returned nearly all funds within two weeks, claiming it was a white-hat operation. Funds were returned to a multi-sig controlled jointly by Poly Network and the attacker. Final $33M USDT was frozen by Tether and returned.
0xad7a2c70c958fcd3effbf374d3e9d8fed718a58f6a5a166d6cefc58c3ef81b97