Poly Network Hack 2021 — $611M Exploit Analysis

Attacker exploited a flaw in Poly Network's cross-chain contract to override keeper role and transfer assets.

Details

Full Description

The attacker discovered a vulnerability in Poly Network's EthCrossChainManager contract that allowed them to pass a crafted transaction to change the keeper address to their own. By exploiting the _executeCrossChainTx function, they replaced the legitimate keeper with their address across Ethereum, BSC, and Polygon, then drained all funds.

Laundering Analysis

In an unprecedented move, the attacker returned nearly all funds within two weeks, claiming it was a white-hat operation. Funds were returned to a multi-sig controlled jointly by Poly Network and the attacker. Final $33M USDT was frozen by Tether and returned.

Sources

Transaction Hashes

Related Hacks

Back to Browse