Poly Network, a so-called decentralized finance or “DeFi” project, was hit with a major attack last week which saw the hacker, or hackers, make off with more than $600 million worth of tokens.
Poly Network lets users swap tokens from one digital ledger to another. Someone exploited a flaw in Poly Network’s code which allowed them to transfer the assets to their own crypto wallets.
It is thought to be the largest crypto heist of all time, surpassing the $534.8 million in digital coins stolen from Japanese exchange Coincheck in a 2018 attack and the estimated $450 million worth of bitcoin that went missing from Tokyo-based exchange Mt. Gox in 2014.
In Poly Network’s case, the hacker has taken the unusual step of returning most of the stolen money. All but $33 million of the crypto has now been returned.
However, more than $200 million of the funds is currently locked in an account that requires passwords from Poly Network and the hacker to gain access.
Poly Network has pleaded with the hacker, who it is calling “Mr. White Hat,” to provide the password — known as a “private key” — necessary to retrieve the money.
“Mr. White Hat” is a reference to ethical hackers who search for vulnerabilities in organizations’ systems that could expose them to attacks. Security researchers have questioned the labeling of the Poly Network attacker as a white hat hacker.
It’s not clear why the hacker is withholding access to the final tranche of assets. An anonymous person claiming to be the hacker has simply said they will provide the key once “everyone is ready.”
Last week, it was revealed that Poly Network had offered a $500,000 “bug bounty” to send all of the money back. Such bounties are typically rewarded to people who report bugs to help companies find and resolve flaws before they are disclosed to the general public.
The hacker initially turned down the bounty offer. However, in a message embedded in a digital currency transaction Monday, the hacker said “I am considering taking the bounty as a bonus for public hackers if they can hack the Poly Network.”
Poly Network said Tuesday that it hoped to implement a “significant system upgrade” to prevent such an attack from happening again in future, but that it couldn’t do so until all the remaining assets are returned.
The group said its promise to reward “Mr. White Hat” with a $500,000 bounty still stands, and even invited the hacker to becomes its “chief security advisor.”
“To extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network,” the firm said in a statement.
“Poly Network previously promised to reward Mr. White Hat with a $500,000 bug bounty, but he did not accept it and has publicly stated that he has considered offering it to the technical community who have made contributions to blockchain security,” Poly Network added.
“We fully respect Mr. White Hat’s thoughts, and to express our gratitude, we will still transfer this $500,000 bounty to a wallet address approved by Mr. White Hat for him to use it at his own discretion for the cause of cybersecurity and supporting more projects and individuals.”
Poly Network said it “has no intention of holding Mr. White Hat legally responsible” for the hack.