Poly Network has advised users to withdraw funds following a recent exploit that impacted 57 different crypto assets. According to blockchain security firm Dedaub, the breach was a result of compromised private keys, a report in Cointelegraph said.
The attack, which occurred on July 2, involved the hacker generating billions of tokens and manipulating a smart contract function on the cross-chain bridge protocol. As a precautionary measure, Poly Network temporarily suspended its services.
The Poly Network team has provided further updates on the incident, revealing that the exploit affected assets across 10 blockchains, including Ethereum, BNB Chain, Polygon, Avalanche, Heco, OKX, and Metis.
The exact amount stolen has not been specified, but preliminary reports suggest that at least $5 million worth of crypto was transferred out by the exploiter.
CertiK estimated that the attack resulted in approximately $10 million worth of crypto being collected across five externally owned addresses.
In response to the breach, Poly Network has initiated communication with centralized exchanges and law enforcement agencies to seek assistance. The team has advised project teams and tokenholders to withdraw liquidity and unlock their liquidity provider tokens.
An analysis of the exploit by DeFi security analyst Arhat revealed that the hacker exploited a smart contract vulnerability by crafting a malicious parameter with a fake validator signature and block header. This allowed them to bypass verification and issue tokens from Poly Network’s Ethereum pool to their own addresses on different chains. The process was repeated across multiple chains, enabling the hacker to accumulate a significant token stash.
Although the hacker’s wallet briefly held around $42 billion worth of tokens, they were only able to convert and steal a portion of that amount.