August, 2021. The largest hack ever before in DeFi happens. >600m USD is stolen from @PolyNetwork2. A couple of weeks later, it's returned. Life's normal, for a bit. December, 2021? It was all at risk again, and this time, I was on the other end, with a new critical exploit.
So, how did we get here? A bit of background. Poly Network operates a set of SCs on each chain, to hold the bridge's funds, yet Poly Network itself is a Ontology fork which manages TXs and has its validators submit signatures. It's these signatures used in the SCs.
I first noticed a few simple lines of code.
github.com/polynetwork/po…
All transactions must be by whitelisted actors. The catch? It's RPC validated, not by the mempool. This means anyone connected over P2P would be able to submit TXs. I thought this'd be enough to crash it down.
github.com/polynetwork/po…
All transactions must be by whitelisted actors. The catch? It's RPC validated, not by the mempool. This means anyone connected over P2P would be able to submit TXs. I thought this'd be enough to crash it down.
Upon further review, no. Validators only produce signatures for observed transactions. While I can publish transactions to Poly, as I verified with a PoC, I couldn't cause observations. Those went through a SPV proof.
While incredibly over-engineered compared to voting, or since this is whitelisted, blind trust, SPV saved them here. But this was a crack in the armor, a foot in the door. The start of an exploit chain, ready for someone to find the next step.
And what is SPV? SPV stands for simple-payment-verification. It's a secure protocol for light wallets to verify chains, without having all the data. This meant Poly had all their blockchains' headers, and could confirm TXs, without their full chains. Efficient and usable.
So then the question is, can you trick the SPV? Can you get it to believe TXs exist which don't? And... no. I couldn't. Yet I could still break it. It wasn't possible to make up transactions. It was possible to get it stuck on a fork.
See, for a Proof of Work blockchain, there may be multiple blocks at a given height. These are forks. Only one stays as part of the chain, and all clients will eventually move to it. Except Poly didn't move over to the block everyone else would. Not always.
Poly didn't check that when you submitted a block, it had a height that was one above the previous. You could say it's height was +100, and Poly would accept it. Then, when Poly got a legitimate block with height +1, it'd detect a fork and try to move over.
To move over, it'd scan both chains to find the common ancestor, going through all previous heights. Except... they don't exist. It's looking for height +99 when there is no height +99. It'd error, and Poly ignored this error.
Because of this, even when valid blocks were submitted, it'd stay on your fork. This let you mine, at your own rate, the necessary confirmations to get the signatures needed. With a fake ETH, you get fake deposits. Fake deposits that could be withdrawn for real money.
The VAR was ~400m at the time. Via Nicehash, it would've taken 23 minutes and just 70k USD to withdraw it all. 23 minutes, 70k USD, more money than you could spend in a lifetime.
I reached out to Poly directly as soon as I had confirmed my findings, and first asked if it'd still be covered under the bug bounty since the chain itself wasn't on Immunefi (despite being so integral). I was told yes, and we discussed a crit would be worth $500k USD.
I spent a couple hours on that call, while they reviewed my findings, and at one point, a PR person of theirs joined. 'Poly is a startup, without its own token, without an ICO, with just one investor...' and that's when I knew my findings were correct.
A few days later, I heard the number. 100k USD. Why? They didn't consider it critical. This is a decision I disagree with to this day. They're a non-international team and everything could've been gone in less than 30m for <100k USD.
They claimed they would've caught it. Another reason was it's hard to spend that much money, and they could work with the police to recover it. In my opinion, that doesn't matter in the slightest. I believe in 30m should be the theoretical response time, and what's lost is lost.
Regardless, their bounty on Immunefi was 100k, and I didn't feel I could fight it. I was also low on funds, and needed the cash, so I took it. They also offered a job, to work on security for them (which I turned down, despite paying well), and were cordial, which I appreciated.
We even had discussions about them improving their bug bounty, as Poly Network evolves, which I was interested in seeing! Yet I'll wait till I see it to say more. I have a history of companies not honoring their promises with bug bounties...
In our further discussions, I also identified their non-ETH SPV clients, such as BSC, had similar issues. BSC let any two BSC validators take over their SPV system, allowing redeeming anything bridged to BSC, along with all assets on BSC.
I also figured out their BFT algorithm, which managed the Poly Network chain itself, let any one validator control it. This would've enabled breaking everything, by making as many Poly blocks as you wanted, BUT you had to be a validator. Critical, but not exploitable.
I was informed this would also be present in @OntologyNetwork , which they forked from, so I submitted a disclosure to @SlowMist_Team, where Ontology had their own bounty published. My report was ignored despite containing a critical vulnerability. Any comment available there? 👀
I reached out to Ontology directly, who said it would've been SlowMist who ignored it, and they were working on it and would tell me when it's fixed. I also never got that notification :( Things falling through the cracks... But I do believe their bug bounty says a crit is 10k 👀
For the exploit chain used here though, I'm happy it's patched, yet it's incredibly important to build robust and secure systems. To quote a past tweet, insecure services are disservices. I also believe 600m needs to be secured with 5-10m, not 100k (or 500k if you ask nicely) :/
Regardless, while I believe I should've gotten 400k more from Poly, as I don't see how this wasn't critical, I learned bug bounties almost never pay out their specified amounts, and that money enabled me to live, attending #MoneroKon2022 in Europe recently. That was amazing :D
In the end, while I didn't get to say "READY TO RETURN", I'm happy I managed to secure those funds and prevent Poly Network v2. Tomorrow, I plan to have another story, which... won't be as friendly as this one.
It'll cover how much of a cesspool this industry can be, with two major players, one linked to Alameda, and I'll have all the receipts to prove it.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
