For discussion, this post is also available on Twitter
My fellow DeFi plebs are in the midst of a dark week - namely the largest ANY hack, EVER. And it happens to be a DeFi hack.
Let's dive into the dilemma how to instantly lose $666M
As far as I know this was the largest fintech hack, or even a bug, EVER.
This cross-chain bridge is making non-natively issued tokens available on other blockchains. For example, $ETH and $DAI natively exist on only on #Ethereum mainnet. If you trade $ETH or $DAI on Polygon or Binance Smart Chain, it is a bridged asset.
The @PolyNetwork2 bridge was non-custodial.
Antchain ICO'ed back in 2015-2016, it was one of the early successful ICO projects.
A design flaw, a human mistake, which had escaped all the eyeballs except ones of the hacker.
(with the exception of L2s, Cosmos, Polkadot)
This is why a lot of #Ethereum security researchers, including me, initially incorrectly reported the issue being a compromised private key issue.
After all, we need burn someone on the stake, right?
One from @NCCGroupplc (servers?) and one from @certik_io (smart contracts)
I tried to look up the audit reports, but could not find them on Poly website, their Github, documentation, etc. Not sure if the audits are public.
So assume any Certik audit you see is worth of the toilet paper it is written on.
✅ A lot of ceremony
✅ A lot of discussion
✅ A lot of people
✅ Push it slowly
There is always a risk to make a human mistake. But we know how to have a pretty darn good process to eliminate those mistakes.
The life goes on.
Parity wallet bug
Thailand Central Bank attack
Stolen Silk Road bitcoins
Knight Capital trading bug,
Half a billy is a lot of money.
Sadly, I think it is well-deserved, coverage.
The quality of Poly, albeit not perfect, was not even close of the worst custodial bridges you see elsewhere.
It could have been avoided with more focus on the code security, more eyeballs on the code. "Move fast and break things" made a lot of unhappy people this time.
I would put my bets on some insider or close to insiders, though it is plausible it could be someone 100% unrelated to the Poly crew.
However, the whole concept of #DeFi has barely existed, so we have had not have enough time to go after large hacks.
Now, back to refill my ☕️☕️☕️