Bitcoin Forum
August 15, 2022, 04:56:30 AM *
News: Latest Bitcoin Core release: 23.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Poly Network Hack Clarification  (Read 118 times)
dimonstration
Hero Member
*****
Offline Offline

Activity: 1960
Merit: 559


Leading Crypto Sports Betting & Casino Platform


View Profile
August 11, 2021, 04:57:04 AM
Merited by Daltonik (2)
 #1

WHO DID THE HACK TARGET?

This is a big question to ask. I've seen a couple of comments like "Not your keys, not your Crypto" and likening it to BitConnect or Mt. Gox. It's similar but with a big caveat, these types of attacks don't typically target users crypto in their wallet. Custodial exchange and centralized lending will often target users crypto just sitting in a spot wallet.

When you supply liquidity to a protocol on DeFi it is not your crypto. You're keys should still be able to authorize the withdrawal of that crypto or your wallet will have a receipt of supplying like cETH or LP tokens. You are still ultimately the custodian of your own crypto in DeFi

If you've been interacting with DeFi protocols, it is highly unlikely you will wake up to a drained Metamask after one of these hacks. You are too small of a fish for those types of attacks to target. You are more likely to have to fall for a phishing scam if that is the case.

Typically hacks like this target liquidity pools. Liquidity pools often have immense value in them. You may lose crypto you have deposited in a hacked pool or farm, but often times protocols come up with solutions to reimburse any lost crypto like PancakeBunny earlier this year that suffered a flash loan attack.

Poly Network holds large liquidity pools to facilitate cross chain transfers. Holding a lot of exit liquidity on each chain. The money that was hacked from this event is likely to have been stolen from those who have large amounts of liquidity staked. This is not likely to be you farming CAKE on PCS!

Cross Chain protocols are incredibly hard to code, and they should be treated with caution when supplying liquidity to them.



HOW DID THE ATTACK TAKE PLACE?

I want to keep this part simple for those not technically minded but there are currently two working theories as to how the hack took place. They both involve the private keys for the ownership of the liquidity pools.

🔑Theory 1: Leaked Key

Poly Network has a big security problem from the outset. They had a single sig key to the pools which means that only one signer would need to authorise any changes to the liquidity pool, including withdrawal of funds. This is like leaving a vault of gold with only one key. If you wanted to access this, there wouldn't be any other parties involved.

Current theories suggest that this key was leaked or hacked via another method off-chain. This is the story from early official post mortem from Poly Network

EDIT: This theory has been disproved by Poly Network, but I wrote it so I thought I'd leave it here as an example of an early working theory

🖋 Theory 2: Hacked Contracts

There are two important contracts. A "manager" contract and a "data" contract. The data contract specifies the address which can submit transactions which can withdraw funds from the pool. If someone was to replace this address in the contract to theirs, they could withdraw as much from the pools as possible.

In solidity there is a concept called ownership. A smart contract can set certain functions to only execute if the owner executed them. Typically, when constructed the owner is the wallet who deployed the contract, which is typically the developer. However, in this case the owner of the "Data" contract was the "Manager" contract.

So now, if you were to call a function which could replace the address in the data contract with theirs from the manager, it would be allowed.

But here's another flaw in the design of Poly Network. The "manager" contract exists to run transactions on different chains. It has a function called verifyHeaderAndExecuteTx which verifies that a transaction exists on one chain, and if it does, runs it on another. This is needed for cross chain interoperability.

But wait... we've now got a way to run arbitrary functions from the "manager". If the attacker devises a specific input they can now freely set the most important address, the one which says who can withdraw from the pools, to theirs.



NOTE: I don't own the content, I just want to share the beautiful explanation and analysis of Crypto Vigilante

Content Source: https://t.me/CryptoVigilanteANN/530

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
1660539390
Hero Member
*
Offline Offline

Posts: 1660539390

View Profile Personal Message (Offline)

Ignore
1660539390
Reply with quote  #2

1660539390
Report to moderator
1660539390
Hero Member
*
Offline Offline

Posts: 1660539390

View Profile Personal Message (Offline)

Ignore
1660539390
Reply with quote  #2

1660539390
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Daltonik
Legendary
*
Online Online

Activity: 2030
Merit: 1202


Leading Crypto Sports Betting & Casino Platform


View Profile
August 17, 2021, 04:32:28 PM
 #2

The developers of Poly Network announced the launch of a bounty program to search for bugs in the main functions of the protocol. The purpose of the program is to prevent the repetition of exploits and eliminate possible vulnerabilities. Its launch is scheduled for August 17, and the scheme provides for a payment of up to $100,000 for each detected error with a total fund of $500,000.



..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
Silver80
Full Member
***
Offline Offline

Activity: 686
Merit: 103


View Profile
August 17, 2021, 05:04:23 PM
Last edit: August 18, 2021, 04:37:04 PM by Silver80
 #3

The developers of Poly Network announced the launch of a bounty program to search for bugs in the main functions of the protocol. The purpose of the program is to prevent the repetition of exploits and eliminate possible vulnerabilities. Its launch is scheduled for August 17, and the scheme provides for a payment of up to $100,000 for each detected error with a total fund of $500,000.



this proves that the poly network is very confident in their security at first, why am I talking like that because most people do security after the incident, they will carry out a bounty hunt after a big miss, they should have done it earlier so that this didn't happen, luckily it was returned.
ryzaadit
Legendary
*
Offline Offline

Activity: 1834
Merit: 1134



View Profile
August 17, 2021, 06:11:25 PM
 #4

I read the Q&A from the hacker on the chain.

However, the points about hacking on bridge chain he was really on the points. I think bridge systems have a really high potential to get leaked or hacked, before poly network on my project "Chainport" a bridge service is also got hacked.

Not really more than 10M$ but based on this a bit worried about bridge service.

.freebitcoin.       ▄▄▄█▀▀██▄▄▄
   ▄▄██████▄▄█  █▀▀█▄▄
  ███  █▀▀███████▄▄██▀
   ▀▀▀██▄▄█  ████▀▀  ▄██
▄███▄▄  ▀▀▀▀▀▀▀  ▄▄██████
██▀▀█████▄     ▄██▀█ ▀▀██
██▄▄███▀▀██   ███▀ ▄▄  ▀█
███████▄▄███ ███▄▄ ▀▀▄  █
██▀▀████████ █████  █▀▄██
 █▄▄████████ █████   ███
  ▀████  ███ ████▄▄███▀
     ▀▀████   ████▀▀
BITCOIN
DICE
EVENT
BETTING
WIN A LAMBO !

.
            ▄▄▄▄▄▄▄▄▄▄███████████▄▄▄▄▄
▄▄▄▄▄██████████████████████████████████▄▄▄▄
▀██████████████████████████████████████████████▄▄▄
▄▄████▄█████▄████████████████████████████▄█████▄████▄▄
▀████████▀▀▀████████████████████████████████▀▀▀██████████▄
  ▀▀▀████▄▄▄███████████████████████████████▄▄▄██████████
       ▀█████▀  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  ▀█████▀▀▀▀▀▀▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.PLAY NOW.
Daltonik
Legendary
*
Online Online

Activity: 2030
Merit: 1202


Leading Crypto Sports Betting & Casino Platform


View Profile
August 18, 2021, 04:10:17 PM
 #5

Now the developers of Poly Network themselves offer the hacker who stole $611 million from her the position of chief security adviser. The company called on him to continue to help contribute to the development of blockchain technology security. https://www.bloomberg.com/news/articles/2021-08-18/victim-of-major-defi-cyberattack-offers-its-hacker-a-job?sref=Y0jVLcFo

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
Silver80
Full Member
***
Offline Offline

Activity: 686
Merit: 103


View Profile
August 18, 2021, 04:45:04 PM
 #6

Now the developers of Poly Network themselves offer the hacker who stole $611 million from her the position of chief security adviser. The company called on him to continue to help contribute to the development of blockchain technology security. https://www.bloomberg.com/news/articles/2021-08-18/victim-of-major-defi-cyberattack-offers-its-hacker-a-job?sref=Y0jVLcFo
I have said that poly network confidence is high now, after they were cheated some time ago, and this triggered some hackers to break into to get the award, they will race against time as to whether this network is working well to secure its existing customers so they don't move.  other networks.
ryzaadit
Legendary
*
Offline Offline

Activity: 1834
Merit: 1134



View Profile
August 18, 2021, 05:27:44 PM
 #7

-snip-
Is not crazy, first things you should know there is no easy to laundry the money he was stolen the reason is simple:
- The money is too big to be laundry even you are using mixing service still can get caught
- All exchange is blacklisted and market the address
- Some of the money "USDT" has been locked by Tether Foundation

Now, since he can't do anything about the money and If he tried the withdraw the money police, FBI or whatever gonna arrest him. It's better to refund the money, he got a reward 500,000 USD which is not really bad.

.freebitcoin.       ▄▄▄█▀▀██▄▄▄
   ▄▄██████▄▄█  █▀▀█▄▄
  ███  █▀▀███████▄▄██▀
   ▀▀▀██▄▄█  ████▀▀  ▄██
▄███▄▄  ▀▀▀▀▀▀▀  ▄▄██████
██▀▀█████▄     ▄██▀█ ▀▀██
██▄▄███▀▀██   ███▀ ▄▄  ▀█
███████▄▄███ ███▄▄ ▀▀▄  █
██▀▀████████ █████  █▀▄██
 █▄▄████████ █████   ███
  ▀████  ███ ████▄▄███▀
     ▀▀████   ████▀▀
BITCOIN
DICE
EVENT
BETTING
WIN A LAMBO !

.
            ▄▄▄▄▄▄▄▄▄▄███████████▄▄▄▄▄
▄▄▄▄▄██████████████████████████████████▄▄▄▄
▀██████████████████████████████████████████████▄▄▄
▄▄████▄█████▄████████████████████████████▄█████▄████▄▄
▀████████▀▀▀████████████████████████████████▀▀▀██████████▄
  ▀▀▀████▄▄▄███████████████████████████████▄▄▄██████████
       ▀█████▀  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  ▀█████▀▀▀▀▀▀▀▀▀▀
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
.PLAY NOW.
Daltonik
Legendary
*
Online Online

Activity: 2030
Merit: 1202


Leading Crypto Sports Betting & Casino Platform


View Profile
August 19, 2021, 04:07:57 PM
 #8

Yes it seems that the hacker got into a difficult situation due to the fact that his USDT is still blocked besides, as they say, he transferred funds to his wallet from an account on the exchange hoo.com which has KYC, unless it is a hacked account. https://twitter.com/luojeth/status/1425099729969483778 And now he reproaches the Poly team that his USDT is still blocked, and the hacker threatens to postpone the refund.

Quote
DEAR POLY,
GLAD TO SEE THAT YOU ARE MOVING THINGS TO THE RIGHT DIRECTION! YOUR ESSAYS ARE VERY CONVINCING WHILE YOUR ACTIONS ARE SHOWING YOUR DISTRUST, WHAT A FUNNY GAME. YOU DON'T EVEN THINK TO UNLOCK MY USDT ACCOUNT.
I AM NOT READY TO PUBLISH THE KEY IN THIS WEEK. IF YOU ARE WORRY ABOUT THE INTEREST, I COULD SIGN THE TRANSACTION OF DAI TOKEN TO THE PREVIOUS MULTISIG WALLET, THEN YOU CAN DEPOSIT THE STABLES LIKE WHAT I DID LAST WEEK. NOW IT'S THE SAME SITUATION WITH A FEW DAYS AGO: IF YOU TRUST ME, YOU CAN HAVE A GOOD REST AND FOCUS ON THE REPAIRING AND RESTORING PROCESS. HERE IS ONE THING THAT YOU CAN ALWAYS TRUST ME: HOLDING BTC & ETH IS BETTER THAN TRADING THEM.

Earlier the Poly team was a response to the Poly team's message, assured the hacker that it is doing everything possible to remove the Tether lock and expects an early result:

Quote
Thank you very much for your suggestions, but we are unlikely to get a proper rest until we fully return the user assets. For us, there is still a lot of work to be done. Recovering everything as soon as possible is our first priority.

Regarding the issue of locked USDT you brought up, we are already communicating with Tether. For Tether, how to deal with this USDT pool is a question that requires careful consideration and prudent decision-making. We believe that there will be a concrete result soon, and we also need this part of assets to complete the full asset recovery.

We well understand your idea to deposit DAI to earn interest from it, but unfortunately Poly Network does not have the right to perform any operations on the user’s assets. What we can do is to convert DAI back to USDC to restore the user’s assets. We will use our own funds to compensate the slippage incurred in the transaction, but we still hope that you can return DAI to us first, which will help us convert into USDC in batches and reduce the slippage costs.

At the same time, even though we did not receive your feedback on the matter yet, we still decided to go ahead and transfer 160ETH to the address (0xA87fB85A93Ca072Cd4e5F0D4f178Bc831Df8a00B). We hope that the funds can be used to incentivize more security experts to contribute to blockchain security in the future.

With regards to Poly Network's decentralization upgrade, we decided to use the multi-signature of relay chain validators to authorize upgrades. We also hope to invite you to participate in the future development of the Poly Network. If you want, your address (0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963) can be one of the validators.

Finally, we still hope you can provide the key to us this week, because thousands of users are waiting get their assets back. The sooner the asset recovery can be carried out, the more negative emotions will be avoided, and we believe it is the right way to treat our users.

Poly Network Team

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
Silberman
Legendary
*
Offline Offline

Activity: 1876
Merit: 1084


Leading Crypto Sports Betting & Casino Platform


View Profile
August 19, 2021, 08:27:05 PM
 #9

Now the developers of Poly Network themselves offer the hacker who stole $611 million from her the position of chief security adviser. The company called on him to continue to help contribute to the development of blockchain technology security. https://www.bloomberg.com/news/articles/2021-08-18/victim-of-major-defi-cyberattack-offers-its-hacker-a-job?sref=Y0jVLcFo
I have said that poly network confidence is high now, after they were cheated some time ago, and this triggered some hackers to break into to get the award, they will race against time as to whether this network is working well to secure its existing customers so they don't move.  other networks.
I do not really see how that can be said at all, the hack they were victims of by this hacker was massive and it just showed their incompetence and their lack of knowledge about their own technology, what kind of assurance they can give to their clients that this is not going to happen again when it is obvious they have been giving those assurances in the past and then this happened? If anything I am surprised they are still around after such a massive hack since it was the hacker that decided to return the funds and it was not because they could track him down and arrest him.

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
Kavelj22
Hero Member
*****
Offline Offline

Activity: 1120
Merit: 767


EN >> AR Translator


View Profile
August 19, 2021, 08:42:37 PM
 #10

-snip-
Is not crazy, first things you should know there is no easy to laundry the money he was stolen the reason is simple:
- The money is too big to be laundry even you are using mixing service still can get caught
- All exchange is blacklisted and market the address
- Some of the money "USDT" has been locked by Tether Foundation

In addition, the Hacker ID was identified by some security institutions which can be considered as a threat to the hacker in case he won't resend the money back to the platform. However, after returning the money, the hacker isn't forced to give details about the loophole in the system.

And as mentioned above, he can be the winner of the bug bounty additional to the 500k he got from Poly. Clever or lucky?

███████████████████████████
█████████▀▄▄▄▄▄██▀▀████████
█████▀▄█▀▀▄▄▄▄▄▄▄▀▀▄▄▀█████
████ █▀▄███████████▄▀██████
███▄█ ███████▀ ██████ █ ███
██▀█ ███  ▀▀█  ▀██████ █ ██
██ █ ████▄▄      ▀▀▀██ █ ██
██ █ █████▌        ▄██ ████
███▄█ █████▄▄   ▄▄███ █▀███
████▀█▄▀█████▌  ▀██▀▄█ ████
█████▄▀▀▄▄▀▀▀▀   ▄▄█▀▄█████
████████▄██▀▀▀▀▀▀██████████
███████████████████████████
.
█ █▀█ █▀█ █▀█  ▄  ▄▀▀ █   ▄▀█ ▀█▀ ▄▀▀ ▄███▄
█ █▀█ █ █ █ █ ▀█▀ ▀▀█ █   █ █  █  ▀▀█ ▀███▀
█ █▄█ █▄█ █▄█     ▄▄▀ ▀▄▄ █▄▀  █  ▄▄▀  
                                        █
████████████████████████████████████ 
███▀▀▀▀▀▀██████▀▀▀▀▀▀██████▀▀▀▀▀▀███ 
█▀▄██▀███▄▀██▀▄██▀███▄▀██▀▄██▀███▄▀████▄
█ █ ▀ ▀███ ██ █ ▀ ▀███ ██ █ ▀ ▀███ █████
█ ██    ▄█ ██ ██    ▄█ ██ ██    ▄█ █████
█▄▀██  ▀█▀▄██▄▀██  ▀█▀▄██▄▀██  ▀█▀▄████▀
███▄▄▄▄▄▄██████▄▄▄▄▄▄██████▄▄▄▄▄▄███
████████████████████████████████████
.
.
CRYPTO'S FASTEST
GROWING CASINO
         ▄▄▄████████████▄
     ▄▄████████████████████▄▄▄
   ▄███████████████████████████
  ████████████████████████████▀
 █████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
 █████████████████████████████
  ███████████████████████████
███████████████████████████▀
 █████████████████
███████▀▀
         ▀▀▀███████▀▀▀
                        ▄█████▄
           ▄▄           ███████
         ▄██            ▀█████▀
  ▄▄▄▄▄ ██▀▄▄██▄▄   ▄
 ▀▀▀▀██████▀▀▀▀      ██▄
   ▄██▀▀▀██▄     ▄▄▄▄▄██ ▄▄▄▄▄
  ██▀     ▀██▄     ▀▀▀█████▀▀▀▀
  ▀        ████     ▄██▀ ▀▀██
            ████   ▄██      ▀
       ▄▄▄████████████▄▄
    ▄█████████████████████▄
  ▄█████████████████████████▄
▄█████████████████████████████▄
.
..PLAY NOW..
Silberman
Legendary
*
Offline Offline

Activity: 1876
Merit: 1084


Leading Crypto Sports Betting & Casino Platform


View Profile
August 22, 2021, 09:09:46 PM
 #11

-snip-
Is not crazy, first things you should know there is no easy to laundry the money he was stolen the reason is simple:
- The money is too big to be laundry even you are using mixing service still can get caught
- All exchange is blacklisted and market the address
- Some of the money "USDT" has been locked by Tether Foundation

In addition, the Hacker ID was identified by some security institutions which can be considered as a threat to the hacker in case he won't resend the money back to the platform. However, after returning the money, the hacker isn't forced to give details about the loophole in the system.

And as mentioned above, he can be the winner of the bug bounty additional to the 500k he got from Poly. Clever or lucky?
If I remember correctly the hacker ended up rejecting the bounty as well so he did not got any kind of profits from this, however if he is really a white hat hacker then he got exactly what he wanted, but if not then it is possible that he is going to try this kind of attack against another network and this time he is going to be way more careful and be able get away with that theft, anyway this should show us that such platforms are not secure enough yet and that you can lose your money really quickly if you leave your coins in those platforms.

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
Daltonik
Legendary
*
Online Online

Activity: 2030
Merit: 1202


Leading Crypto Sports Betting & Casino Platform


View Profile
August 24, 2021, 07:23:45 AM
 #12

The hacker who attacked the Poly Network inter-network protocol provided the key to the multisig wallet and returned the remaining $141 million from the stolen funds. In a comment on the transaction, the hacker explained the delay in the final payment by blocking the stolen USDT in the amount of about $33 million. And he also added that the problem of Tether is excessive centralization.

Quote
DEAR POLY TEAM,

KEEP CALM AND THIS IS THE HAPPY ENDING! I HAVE TO ADMIT THAT MY WILD OR MAD BEHAVIORS HAVE LED CRISES TO YOUR PROJECT, YOUR TEAM AND EVEN YOUR LIVES. SORRY FOR THE INCONVENIENCE! IT MUST BE ONE OF THE MOST WILD ADVENTURES IN OUR LIVES.

THOUGH OUR COMMUNICATION IS NEVER PERFECT, WE ARE MOVING IN THE SAME DIRECTION: SETTLE DOWN THE MESS AND CHEER UP FOR THE FUTURE. I DIDN'T WANT TO LEAVE THE PROJECT IN RUINS SO I HAD MY PERSONAL PLAN TO TAKE THE RESPOSIBILITY OF SAVING THE PROJECT. MY ACTIONS, WHICH MAY BE CONSIDERED WEIRD, ARE MY EFFORTS TO CONTRIBUTE TO THE SECURITY OF THE POLY PROJECT IN MY PERSONAL STYLE. THE CONSENSUS WAS REACHED IN A PAINFUL AND OBSCURE WAY, BUT IT WORKS. SOME PEOPLE EVEN SUSPECT THAT THE WHOLE STORY IS A PR STUNT.

WHY DO WE FALL? SO WE CAN LEARN TO PICK OURSELVES UP. THIS INCIDENT MUST BE A SERIOUS LESSON TO MANY OF US, OR EVEN THE WHOLE DEFI COMMUNITY. PERSONALLY, I HAVE LEARNT AND PRACTISED A LOT. AND I TRIED TO POINT OUT SOME CRUCIAL FACTS ABOUT THIS CRAZY DEFI WORLD (PLEASE IGNORE MY BAD JOKES SINCE THE BEGINNING), AND HOPEFULLY MY PHILOSOPHY COULD BE INSPIRING, ESPECIALLY TO THOSE GEEKS WHO HAD MISBEHAVED ACCIDENTLY.

MY ACTIONS WERE DETERMINED SINCE I MADE THE FINAL DECISION, WHICH WAS TO MAKE IT PERFECT AND TO BE THE ETERNAL, INCLUDING PUBLISHING THE FINAL KEY TODAY. HOWEVER, ONE THING IS MISSING. DURING ALL THE NEGOTIATION, MY _ONLY_ REQUEST, WHICH WAS ALSO THE ONLY REASON FOR SLOW REFUND, WAS TO UNLOCK THE USDT. IN MY SELFISH VIEW, THE STORY IS TAINTED BY THE LOCKED USDT. IT WOULD HAVE BEEN A PERFECT EXAMPLE OF BUILDING TRUST BETWEEN ANONYMOUS "ADVERSARIES" BY LEVERAGING THE POWER OF SMART CONTRACT, IF WE HAD ANY CHANCE TO DEAL WITH THE USDT IN A NOT CENTRALIZED WAY. IT WAS JUST MY PREFERENCE OF SOLVING THE USDT ISSUE, AND IT MIGHT NEVER HAPPEN DUE TO THE UNSYNCHRONIZED COMMUNICATION. IT'S FAIR ENOUGH TO JUST LEAVE THE USDT HERE AS A SIN OF UNTRUST. WE DON'T HAVE TO WORRY ABOUT THE IMPERFECTIONS, BECAUSE THE COMMUNITY, THE MEDIA, THE CROWD AND YOU AND ME CAN'T WAIT FOR THE FINAL KEY, RIGHT? HERE IS THE KEY FOR _US_:

d3c0196b81dba3c2811c0a39536e4dc47d640e3099a9331821d40fd1d6ab66fb

I'M QUITING THE SHOW. BELIEVE IT OR NOT, I HAVE NEVER CONSIDERED THE SHARED WALLET AS THE "HOSTAGE" FOR RANSOM. AS YOU MAY HAVE NOTICED, I HAVE POURED YOUR BOUNTY AND MY COMPENSATION FUND FROM DONATIONS INTO THE SHARED MULTISIG WALLET. NOT SURE IF IT'S CONVENIENT, BUT DISTRIBUTING THE EXTRA ASSETS TO THE "SURVIVORS" WOULD BE THE LAST REQUEST FROM THIS MAN.

YOUR CHIEF SECURITY ADVISOR



..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!