In August 2021, Poly Network, a decentralized finance (DeFi) platform, suffered one of the largest cryptocurrency heists in history. Hackers exploited a critical vulnerability in its smart contract calls, specifically targeting the cross-chain bridge mechanism that facilitates asset transfers between blockchains. This flaw allowed unauthorized transfers, resulting in the theft of $610 million in cryptocurrencies, including Ethereum (ETH), Binance Smart Chain (BSC), and Polygon (MATIC) tokens. The attack exposed weaknesses in governance security and contract call permissions, where the hacker manipulated roles to execute the exploit.Following the breach, Poly Network engaged in public negotiations with the attacker including a widely shared open letter titled *‘Dear Hacker’* urging the return of funds. Surprisingly, the hacker began returning the stolen assets in phases, citing ethical concerns and the high-profile nature of the incident. While most funds were recovered, the attack underscored systemic risks in DeFi, particularly around cross-chain bridges, smart contract audits, and decentralized governance. The incident prompted industry-wide calls for stricter security protocols, including mandatory audits, bug bounties, and resilient multisig controls to prevent similar exploits.
Source: https://blocktelegraph.io/learning-from-defi-security-breaches-case-studies/
TPRM report: https://www.rankiteo.com/company/polymathnetwork
"id": "pol5733457102725",
"linkid": "polymathnetwork",
"type": "Breach",
"date": "8/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Blockchain / Decentralized Finance (DeFi)',
'location': 'Global (Decentralized)',
'name': 'Poly Network',
'type': 'DeFi Protocol'}],
'attack_vector': ['Smart Contract Vulnerability',
'Unauthorized Asset Transfers',
'Cross-Chain Bridge Exploitation'],
'customer_advisories': ['Public announcements on fund recovery',
'Guidance on security best practices for users'],
'date_detected': '2021-08-10',
'date_publicly_disclosed': '2021-08-10',
'date_resolved': '2021-08-12',
'description': 'A prominent DeFi project, Poly Network, suffered a security '
'breach in August 2021 where hackers exploited smart contract '
'vulnerabilities to steal $610 million in cryptocurrencies. '
'The attacker later returned the funds after negotiations with '
'the project team. The flaw in Poly Network’s smart contract '
'calls allowed unauthorized asset transfers between '
'blockchains, resulting in massive financial loss. Public '
"appeals and negotiations (including the 'Dear Hacker' letter) "
'led to the recovery of most funds.',
'impact': {'brand_reputation_impact': ['Short-term reputational damage',
'Later mitigated by fund recovery and '
'transparency'],
'financial_loss': '$610 million (initially stolen, mostly '
'recovered)',
'operational_impact': 'Temporary suspension of cross-chain '
'transactions',
'systems_affected': ['Poly Network’s cross-chain bridge',
'Smart contracts']},
'initial_access_broker': {'entry_point': 'Smart contract vulnerability in '
'cross-chain bridge',
'high_value_targets': ['Cross-chain asset transfers',
'Governance permissions']},
'investigation_status': 'Resolved (funds recovered, security improvements '
'implemented)',
'lessons_learned': ['Smart contract audits are essential to identify critical '
'vulnerabilities before deployment.',
'Cross-chain bridges require extra security due to their '
'complexity and central role in DeFi.',
'Transparent and proactive incident communication can aid '
'in fund recovery and reputation management.',
'Decentralization introduces new risks, such as '
'compromised admin keys and governance manipulation.',
'Governance security must be strengthened to prevent '
'unauthorized contract call permissions.',
'Comprehensive security must cover smart contracts, '
'bridges, price oracles, multisig wallets, and '
'infrastructure.',
'Price oracle manipulations and flash loan attacks are '
'additional threats in DeFi.'],
'motivation': ['Financial Gain', 'Potential Ethical Hacking (funds returned)'],
'post_incident_analysis': {'corrective_actions': ['Implemented stricter smart '
'contract auditing '
'processes',
'Enhanced governance '
'security and permission '
'controls',
'Introduced bug bounty '
'programs and '
'community-driven security '
'reviews',
'Improved monitoring and '
'incident response for '
'cross-chain transactions'],
'root_causes': ['Insufficient smart contract '
'audits pre-deployment',
'Weak permission checks in '
'governance mechanisms',
'Lack of robust security measures '
'for cross-chain bridges']},
'recommendations': ['Conduct regular and thorough smart contract audits '
'before and after deployment.',
'Implement rigorous security measures for cross-chain '
'bridges and governance mechanisms.',
'Adopt transparent and proactive communication strategies '
'during incidents.',
'Enhance security around admin keys, role management, and '
'protocol governance.',
'Expand security practices to include price oracles, '
'flash loan protections, and infrastructure hardening.',
'Establish bug bounty programs to incentivize ethical '
'hacking and vulnerability reporting.'],
'references': [{'source': 'Cointelegraph - Poly Network Hack Analysis',
'url': 'https://cointelegraph.com/news/poly-network-hack-how-it-happened-and-what-s-next'},
{'source': 'Poly Network Official Statement',
'url': 'https://medium.com/@PolyNetwork/poly-network-update-83669814e377'}],
'response': {'communication_strategy': ['Transparent public updates',
"'Dear Hacker' open letter",
'Community engagement'],
'containment_measures': ['Public appeal to the hacker',
'Temporary suspension of cross-chain '
'transactions'],
'enhanced_monitoring': ['Post-incident security audits',
'Improved monitoring of cross-chain '
'transactions'],
'incident_response_plan_activated': True,
'recovery_measures': ['Negotiations with the attacker',
'Fund recovery process'],
'remediation_measures': ['Smart contract audits',
'Enhanced governance security',
'Bug bounty programs'],
'third_party_assistance': ['Security auditors (post-incident)',
'Community engagement']},
'stakeholder_advisories': ['Transparency in incident updates',
'Engagement with DeFi community for trust '
'rebuilding'],
'threat_actor': 'Unknown (later engaged in negotiations)',
'title': 'Poly Network Hack',
'type': ['DeFi Exploit',
'Smart Contract Vulnerability',
'Cross-Chain Bridge Attack'],
'vulnerability_exploited': ['Flaw in smart contract calls',
'Weak governance mechanisms',
'Insufficient permission checks']}