Poly Network Releases Security Incident Investigation Report for July 2nd

Poly Network is a cross-chain protocol designed for achieving blockchain interoperability and building the infrastructure for Web3.0. Poly Network integrates with over 20 blockchains, including Ethereum, Avalanche, Fantom, OKC, Neo, Ontology, Zilliqa, Elrond, and others.

On July 2, 2023, Poly Network experienced an exploit that affected 58 assets across 11 blockchains. Yesterday, Poly Network released an investigation report regarding the security incident that occurred on July 2nd.

The investigation report reveals that the attacker implanted a Trojan virus in the program compilation environment to obtain the consensus key of the Poly Network relay chain. Subsequently, they executed forged cross-chain transactions by moving original chain transactions to the attacker's relay chain, manipulating the amount of assets scheduled to be unlocked on the target chain. The attacker then transferred the attacker's relay chain transactions to the target chain. The target chain contract validated the relay chain signature, leading to the release of the modified asset amount to the attacker's wallet address.

For Poly Network's cross-chain transactions, each transaction is relayed to Poly Network's relay chain. Once a transaction is completed on the Poly Network relay chain, it is further relayed to the target chain, carrying the relay chain header and Merkle Proof as verification inputs to complete the cross-chain transaction.

After the vulnerability occurred, immediate analysis of the exploited transactions on the target chain showed that a suspicious Poly Relay Chain block header was submitted, signed, and successfully passed signature verification. By comparing the height and hash value, it became apparent that this block header did not correspond to the running Poly Network Relay Chain. Therefore, the official inference is that the hacker deployed two potential exploitation paths:

• The hacker obtained the Poly Network Relay Chain consensus key (2f+1) and signed the forged block header.

• The hacker exploited security vulnerabilities in Poly Network relay chain consensus nodes to deceive nodes into signing forged block headers.



This incident resulted in a theft of $10.1 million from Poly Network. It's worth noting that Poly Network experienced another hacking incident in August of the previous year, where the stolen funds amounted to $611 million. According to statistics, the total loss amount from hacking incidents in 2022 reached $3.7 billion, with cross-chain bridge attacks accounting for 35% of the losses.