The PolyHack
Ever hear of bank robbers pulling off a successful heist then subsequently deciding to return the money? Yeah, neither have we. Tuesday “hackers perpetrated what is likely the biggest theft ever in the world of decentralized finance, stealing about $600 million in cryptocurrency from a protocol known as PolyNetwork that lets users swap tokens across multiple blockchains.”
Like most victims of hackings there was not much that PolyNetwork could do except ask the hacker nicely to give the money back. So, they did. PolyNetwork tweeted a picture of a letter addressed “Dear Hacker.”
“We want to establish communication with you and urge you to return the hacked assets,” it says. “The money you stole are from tens of thousands of crypto community members, hence the people. You should talk to us to work out a solution.”
Apparently, it worked…
For whatever reason, the hackers were like, yeah, okay. They have now returned back $256 million in tokens out of the haul so far. The apparent hackers embedded the message, “READY TO RETURN THE FUND!” in an Ethereum transaction on Thursday morning. A second message embedded in a transaction read, “IT’S ALREADY A LEGEND TO WIN SO MUCH FORTUNE. IT WILL BE AN ETERNAL LEGEND TO SAVE THE WORLD. I MADE THE DECISION, NO MORE DAO”.
Hackers can be strange creatures; for some it’s simply about having the ability and power to pull off disruptive feats and make a statement for the sake of street cred, or perhaps they were truly just bored. While fear seems to be the unlikely motive of the return, blockchain security firm Slowmist has identified the hacker’s transaction ID information, which is largely inconsequential at this juncture. If the hacker(s) do return the entirety of the haul, they’re certainly bound to take a hit in gas fees.
The PolyNetwork hack underscores the infancy of the strength of smart contract security — the nature of large-scale crypto projects are often pretty open source, therefore allow the savvy keyboard bandit to find flaws in projects and exploit them. While this can be viewed as a flaw, it’s also not a bug — it’s a feature. It’s just still very early. Unlike banks, crypto projects cannot throw the same level of cybersecurity manpower to secure these environments as well. The vulnerability of a project becomes a further free market proof of concept. If a large breach occurs so does public trust, but at the same time when it comes to the security of capital, that market isn’t necessarily forgiving.
Brookfield Brief is a weekly newsletter covering the most relevant stories in business, finance, and tech news.
Like our stuff? Give us a clap and Subscribe here for free. Every Monday direct to your inbox.
