Full Report
Poly is a cross chain protocol. It is essentially a bridge between two contracts. In order to do this, a special contract gets called from an EOA to update the state from blockchain to blockchain. In the case of Ethereum, there are two very privileged contracts: EthCrossChainData and EthCrossChainManager. EthCrossChainData can only be invoked by contract owners. It is used to manage the keys for nodes and many other sensitive operations. EthCrossChainManager can trigger messages from another chain to the Polychain. To do this, the function verifyHeaderAndExecuteTx within this contract is called with a poly contract to execute. This is intended to ONLY call functions with a specific solidity function ID though. The calculation of the function is done with bytes4(keccak256(abi.encodePacked(_method, "(bytes,bytes,uint64)"))). A user controls the parameter _method. Since functions are literally just the code above, if an attacker could specify a DIFFERENT method ID, they could call arbitrary functions in the contract. This requires brute forcing the hash because of the function signature though. Remember how the EthCrossChainData contract can only be updated by owners? Well, we can proxy the request with the previous bug, since EthCrossChainManager is an owner of it! By proxying a call to this with the previous bug, we can call sensitive functions! In particular, putCurEpochConPubKeyBytes adds a public key to the contract for verification. By adding a public key, we can sign our own transactions now! This is how the attacker stole all of the money; a crazy 610 million in USD. Damn. Function calls used to proxy requests should be carefully audited in applications. This one bug lost a fortune for the platform.
Analysis Summary
# Incident Report: Poly Network Cross-Chain Bridge Exploitation
## Executive Summary
The Poly Network, a cross-chain decentralized finance (DeFi) protocol, suffered a massive security breach resulting in the theft of approximately $610 million USD across multiple blockchains. The attacker exploited a logic flaw in the protocol’s internal contract communication, allowing them to override the network’s "keeper" public keys and sign unauthorized transactions. Following public pressure and the freezing of certain assets, the attacker eventually returned the majority of the stolen funds.
## Incident Details
- **Discovery Date:** August 10, 2021
- **Incident Date:** August 10, 2021
- **Affected Organization:** Poly Network
- **Sector:** Decentralized Finance (DeFi) / Blockchain
- **Geography:** Global (Primary impact on Ethereum, Polygon, and Binance Smart Chain)
## Timeline of Events
### Initial Access
- **Date/Time:** August 10, 2021
- **Vector:** Exploitation of `EthCrossChainManager`
- **Details:** The attacker targeted the `verifyHeaderAndExecuteTx` function. By brute-forcing a method signature that resulted in the same 4-byte ID as a sensitive administrative function, they bypassed intended call restrictions.
### Lateral Movement
- **Mechanism:** Internal Contract Proxying
- **Details:** The attacker used the compromised `EthCrossChainManager` (which had owner privileges) to call the `EthCrossChainData` contract. This allowed the attacker to trigger the `putCurEpochConPubKeyBytes` function.
### Data Exfiltration/Impact
- **Assets Stolen:** Over $610 million USD in various tokens (Ethereum, Neo, Tether, etc.).
- **Mechanism:** By replacing the "keepers" (validators) public keys with their own, the attacker gained the ability to sign and legitimate any withdrawal transaction from the protocol's liquidity pools.
### Detection & Response
- **Detection:** Rapidly identified via on-chain monitoring as massive liquidity drains occurred.
- **Response:** Poly Network issued a public plea to miners and exchanges to blacklist the attacker's addresses. Tether successfully froze approximately $33 million in stolen USDT.
## Attack Methodology
- **Initial Access:** Smart contract vulnerability (Input validation failure in cross-chain message execution).
- **Persistence:** Not applicable in a traditional sense; the attacker maintained control by becoming the authorized "keeper" of the contract.
- **Privilege Escalation:** Exploited the trust relationship between `EthCrossChainManager` (privileged caller) and `EthCrossChainData` (data storage).
- **Defense Evasion:** Brute-forced function signatures to match the 4-byte hash required to trigger internal functions without alerting standard security checks.
- **Impact:** Unauthorized fund transfer (Theft).
## Impact Assessment
- **Financial:** Total value of tokens transferred was ~$610M USD.
- **Data Breach:** Public ledger transparency revealed all transaction details; however, private key/identity data was not the primary target.
- **Operational:** Total halt of the Poly Network bridge services.
- **Reputational:** Significant loss of trust in cross-chain bridge security; required extensive public relations efforts to recover returned funds.
## Indicators of Compromise
- **Behavioral indicators:** Unexpected updates to the `EthCrossChainData` keeper public keys; unauthorized calls to `putCurEpochConPubKeyBytes` originating from the manager contract.
- **Attacker Addresses (Defanged):**
- `0x1908...` (Ethereum)
- `0xA0Ca...` (BSC)
## Response Actions
- **Containment:** Poly Network requested exchanges to blacklist addresses. Tether locked the stolen USDT assets on-chain.
- **Eradication:** SlowMist (Security Firm) claimed to have tracked the attacker's IP and email via a small Asian exchange.
- **Recovery:** The attacker engaged in "on-chain" communication via transaction metadata and began returning funds on August 11, 2021.
## Lessons Learned
- **Cross-Contract Trust:** Being an "owner" of another contract is a massive risk; if the owner-contract is compromised, the child-contract is also compromised.
- **Function Signature Collisions:** Using only 4 bytes (8 hex characters) for function identification is susceptible to brute-force collisions.
- **Input Sanitization:** User-controlled parameters (like `_method`) should never be allowed to call arbitrary internal administrative functions.
## Recommendations
- **Access Control:** Implement rigid "Allow-Lists" for function calls that can be proxied through cross-chain managers.
- **Security Audits:** Conduct deep-dive logic audits specifically focusing on how different smart contracts interact and share permissions.
- **Emergency Pausing:** Implement "Circuit Breaker" patterns to allow for the immediate freezing of the bridge in the event of anomalous activity.