For discussion, this post is also available on Twitter
1/ Welcome to the #DeFi Wednesday, my ladies and penguins.
My fellow DeFi plebs are in the midst of a dark week - namely the largest ANY hack, EVER. And it happens to be a DeFi hack.
Let's dive into the dilemma how to instantly lose $666M
👇👇👇
My fellow DeFi plebs are in the midst of a dark week - namely the largest ANY hack, EVER. And it happens to be a DeFi hack.
Let's dive into the dilemma how to instantly lose $666M
👇👇👇
2/ Poly Network (not affiliated with Polygon or $MATIC) had its cross-chain asset bridge hacked yesterday.
As far as I know this was the largest fintech hack, or even a bug, EVER.
As far as I know this was the largest fintech hack, or even a bug, EVER.
3/ What is a bridge?
This cross-chain bridge is making non-natively issued tokens available on other blockchains. For example, $ETH and $DAI natively exist on only on #Ethereum mainnet. If you trade $ETH or $DAI on Polygon or Binance Smart Chain, it is a bridged asset.
This cross-chain bridge is making non-natively issued tokens available on other blockchains. For example, $ETH and $DAI natively exist on only on #Ethereum mainnet. If you trade $ETH or $DAI on Polygon or Binance Smart Chain, it is a bridged asset.
4/ We have found out that moving liquidity comes with great inertia. Because #Ethereum was the first smart contract blockchain, started 2014, it has the first mover advantage. All early projects were built on Ethereum mainnet.
5/ Some of these early projects have now tokens valued in billions: stablecoins, utility tokens, governance tokens and so on. The large cap tokens make most of the trade volume.
6/ But you cannot trade these tokens, especially stablecoin ones, on new blockchains because the original project does not support your blockchain.
7/ A bridge to the rescue. Any bridge essentially locks the native token supply in one blockchain and then issues the locked amount of a wrapped token on another blockchain.
8/ Bridges can be custodial (humans can intervene, have master keys) or non-custodial (everything is purely computer based). Non-custodial is preferred as it eliminates the counterparty risk and insider fraud risks.
The @PolyNetwork2 bridge was non-custodial.
The @PolyNetwork2 bridge was non-custodial.
9/ A good technical overview of different bridge design decisions and compromises is in this excellent @EthCC talk by @_prestwich
10/ Poly Network itself is little known outside China. It mostly deals with Chinese crypto community and projects, and falls within the @Neo_Blockchain ecosystem (formerly known as Antchain)
Antchain ICO'ed back in 2015-2016, it was one of the early successful ICO projects.
Antchain ICO'ed back in 2015-2016, it was one of the early successful ICO projects.
11/ Poly Network had this infamous number of $600M assets locked. These assets where mostly bridged from Ethereum mainnet to Ontology (and Binance Smart Chain?)
12/ So what happened? How to hack and get away with half a billy stash?
👇👇👇
👇👇👇
13/ There was a logic fault in the code.
A design flaw, a human mistake, which had escaped all the eyeballs except ones of the hacker.
A design flaw, a human mistake, which had escaped all the eyeballs except ones of the hacker.
14/ Namely, Poly bridge was run by 4 "keepers". A keeper is a server and a party that moves messages between the blockchains, as two blockchains cannot natively community between each other
(with the exception of L2s, Cosmos, Polkadot)
(with the exception of L2s, Cosmos, Polkadot)
15/ Keepers relay messages, and also have the keys to move tokens in and out of the locked pool on the native-side of the bridge: in this case Ethereum smart contract.
16/ The attacker managed to replace all the four keepers with himself, becoming the sole keeper himself.
This is why a lot of #Ethereum security researchers, including me, initially incorrectly reported the issue being a compromised private key issue.
This is why a lot of #Ethereum security researchers, including me, initially incorrectly reported the issue being a compromised private key issue.
17/ And here is where the logic fault happened: by crafting a specially signed cross-chain message that calls a smart contract on another chain on the other side of the bridge, the attacker called the keeper smart contract himself.
18/ Details here: \...\The keeper contract had a logic that if called by a keeper it can rotate it keys and add and remove other keepers.
19/ The smart contract design did not account for the scenario that the smart contract could call itself, spoof @solidity_lang Keccak256 selector hash of the function.
20/ So the attacker triggered a message from Ontology side of the bridge to the Ethereum side of the bridge, the message called the keeper smart contract and the message called the Solidity function to reset the keepers.
21/ After becoming the keeper, the attacker moved all the tokens to himself and herself that were keeper locked in Ethereum, essentially making the wrapped tokens on Ontology worthless, as there was nothing backing them up anymore.
22/ Who to blame?
After all, we need burn someone on the stake, right?
👇👇👇
After all, we need burn someone on the stake, right?
👇👇👇
23/ First of all, Poly had two technical audits
One from @NCCGroupplc (servers?) and one from @certik_io (smart contracts)
I tried to look up the audit reports, but could not find them on Poly website, their Github, documentation, etc. Not sure if the audits are public.
One from @NCCGroupplc (servers?) and one from @certik_io (smart contracts)
I tried to look up the audit reports, but could not find them on Poly website, their Github, documentation, etc. Not sure if the audits are public.
24/ Because the job of the smart contract auditors is to stake their reputation in order to write expensive audit reports, let me call it out and say @certik_io is one to definitely blame here - this logic issue should have been caught in a good audit.
25/ But Certik does not do good audits, it merely does audits. Certik has a bit bad reputation among Ethereum security researcher community of being a paper mill of audit reports.
So assume any Certik audit you see is worth of the toilet paper it is written on.
So assume any Certik audit you see is worth of the toilet paper it is written on.
26/ Of course an auditor will blame any issue is outside the scope of the audit they performed, but this is nilly willy talk.
27/ If a project is going to use your name to signal the users that it is secure and you get paid for this service, it does not matter what the preamble text says.
28/ Poly dev team itself seems to be more difficult to decipher. They have an open source Github, but most pull requests do not get discussion or it is in Chinese.
31/ I could not find any public discussion about the architecture and design choices: ultimately any attack vector should have been discussed in FMEA during the source code development in the code peer review.
32/ FMEA stands for Failure Mode and Effect Analysis - effective when you write a piece of critical code you need to brainstorm and write down every possible scenario "What could go wrong"
33/ This is how mission critical software developers can ensure a process was followed and a process was rigid, instead of making it a failure of an individual contributor.en.wikipedia.org/wiki/Failure_m…
34/ Personally I believe that only way to write secure mission critical software is to have a good process and stick to the process.
✅ A lot of ceremony
✅ A lot of discussion
✅ A lot of people
✅ Push it slowly
✅ A lot of ceremony
✅ A lot of discussion
✅ A lot of people
✅ Push it slowly
35/ Blue chips #DeFi projects like @AaveAave follow this pattern.
There is always a risk to make a human mistake. But we know how to have a pretty darn good process to eliminate those mistakes.
There is always a risk to make a human mistake. But we know how to have a pretty darn good process to eliminate those mistakes.
36/ What next?
The life goes on.
👇👇👇
The life goes on.
👇👇👇
37/ As far as I know Poly is #1 hack AND the fintech bug in the terms of day value of the assets affected EVER.
38/ This includes
Mt. Gox
Bitfinex
Parity wallet bug
Thailand Central Bank attack
Stolen Silk Road bitcoins
Knight Capital trading bug,
Half a billy is a lot of money.
Mt. Gox
Bitfinex
Parity wallet bug
Thailand Central Bank attack
Stolen Silk Road bitcoins
Knight Capital trading bug,
Half a billy is a lot of money.
39/ Expect a lot of main stream media coverage how crypto is bad and full of criminals.
Sadly, I think it is well-deserved, coverage.
Sadly, I think it is well-deserved, coverage.
40/ A lot of people, poor and rich lost money. Here is how they feel:
41/ The #DeFi learns. None of the other non-custodial bridge projects will repeat this mistake again.ethereum.stackexchange.com/questions/8551…
42/ People should also start to quetion more the quality of cross-chain bridges they use.
The quality of Poly, albeit not perfect, was not even close of the worst custodial bridges you see elsewhere.
The quality of Poly, albeit not perfect, was not even close of the worst custodial bridges you see elsewhere.
43/ Sadly, the price for the learning experience was too steep this time.
It could have been avoided with more focus on the code security, more eyeballs on the code. "Move fast and break things" made a lot of unhappy people this time.
It could have been avoided with more focus on the code security, more eyeballs on the code. "Move fast and break things" made a lot of unhappy people this time.
44/ Maybe the #Ethereum security community could focus on how to slow down the movement of the locked assets and then have a government token decision to intervene in the case of an issue.
45/ Is the hacker going to get caught? Who is he?
I would put my bets on some insider or close to insiders, though it is plausible it could be someone 100% unrelated to the Poly crew.
I would put my bets on some insider or close to insiders, though it is plausible it could be someone 100% unrelated to the Poly crew.
46/ As this is purely technical hack, a lot of time had to be spent studying the bridge code or you were just lucky.
47/ Unfortunately, the track record of catching people for "on-chain crime" is pretty abysmal.
However, the whole concept of #DeFi has barely existed, so we have had not have enough time to go after large hacks.
However, the whole concept of #DeFi has barely existed, so we have had not have enough time to go after large hacks.
48/ For sure, I can say it is unlikely the hacker is ever be able to cash out any significant portion of his or her funds. Source of funds proofs are needed for any large crypto transaction.
49/ You can money launder comfortably maybe a million of year, but you are not going to buy superyatches or lambo collection with your stolen $ETH stash. Not even in Dubai or Russia.
50/ The hacker seems to make also a lot of noise. Good. This increases the likelyhood of getting caught, as the humans cannot fight against the human nature and sooner or later too much human slips out.
51/ That's all this time.
Now, back to refill my ☕️☕️☕️
Now, back to refill my ☕️☕️☕️
52/ Thank you for @kelvinfichter @Mudit__Gupta and @BlockSecTeam for the excellent research around this hack.
I suggest let's brainstorm how to slow down the movement of locked assets as a mitigation for the similar hacks in the future.
I suggest let's brainstorm how to slow down the movement of locked assets as a mitigation for the similar hacks in the future.
Comments
Send any feedback and comments by replying the Twitter thread.
Discuss