$610 Million Defi Hack: Why didn’t Binance and Circle Freeze Hacker Account?

Poly Network became the victim of the largest Defi hack in crypto history as hackers managed to drain $610 million worth of assets on Binance Smart Chain (BSC), Ethereum (ETH), and Polygon. As per the latest development, the hacker behind the attack has agreed to return the fund and has demanded a secure multi-sig wallet from the Poly Network.

A total of $610 million were stolen out of which $266,5 million were sent to an ETH address, $252 million were sent to a BSC address, and $85 million to Polygon address.

SlowMist, a blockchain analytic firm that managed to get hold of the hacker’s IP address and digital fingerprint discovered that the hacker’s initial source of funds was Monero (XMR), and then changed to BNB/ETH/MATIC and other coins in the exchange and withdrew the coins to 3 addresses. The forensic group summarised the attack as

“This attack is mainly because the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can execute the data passed in by the user through the _executeCrossChainTx function. Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract.

The hacker claimed the attack would have been in billion had he decided to rug remaining “Shitcoins” as well. He also took a pot-shot at the protocol developers saying,

“WHAT IF I MAKE A NEW TOKEN AND LET THE DAO DECIDE WHERE THE TOKENS GO”

Tether Froze Hacker’s USDT Account, But Circle and Binance Didn’t

As soon as the hack was discovered, Poly Network requested all exchanges and miners to red-flag transactions initiating out of the mentioned hacked accounts. Tether was quick to the job and froze $33 million worth of USDT almost immediately. However, a majority of the funds were on the BSC network which many believe didn’t take appropriate steps to block the transactions.

. @Tether_to just froze ~33M $USDt on 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 as part of the #PolyNetwork hack https://t.co/EviPTAkQJD

— Paolo Ardoino (@paoloardoino) August 10, 2021

One reason that Binance didn’t freeze BUSD transactions is that the native stablecoin cannot be frozen by anyone on the BSC network. However, Circle could still have blocked the transactions, but they decided against it and said they would take legal actions instead.

96m USDC is in curve now. We saw that Tether quickly froze 33m USDT, but where is @circlepay ? https://t.co/ZhVE7zcgDA

— Wu Blockchain (@WuBlockchain) August 10, 2021

A Chinese blogger Chaojuin consulted all three token controllers of USDT, USDC, and BUSD

“I consulted USDT, USDC, and BSC for the first time. USDT was frozen. The CEO of USDC said that they wanted to go public legally and not frozen. BSC initially said that it was frozen, but after CZ Binance tweeted, Know that they are not frozen.”