On August 10, 2021, the Poly Network was the victim of the biggest DeFi hack to date. The attacker stole an estimated $600.3 million in various tokens by exploiting a vulnerability in the protocol’s smart contracts.
Inside the Attack
The Poly Network hack was made possible by the interactions between a few of the project's smart contracts. By exploiting these relationships, the attacker was able to set the keeper role to point to their address, allowing them to perform transactions at will and drain value from the project.
The PutCurEpochConPubKeyBytes function in the EthCrossChainData contract can update the keeper role. This function can be executed with a call to verifyHeaderAndExecuteTx in the EthCrossChainManager contract.
The attacker sent a specially formatted command to verifyHeaderAndExecuteTx, which reassigned the keeper role to them. From there, they could drain the value from the protocol.
The attacker claims that the hack was to demonstrate a major vulnerability in the protocol and was for the project's own good. They have returned some of the stolen funds, but the majority has not been returned.
Lessons Learned From the Hack
The Poly Network hack demonstrated the dangers of complexity and the importance of testing for undesired cross-function and cross-contract interactions. This attack was possible because resetting the keeper role was something that verifyHeaderAndExecuteTx could execute internally.