Thief hands back at least a third of $600m in crypto-coins stolen from Poly Network • The Register

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360


Whoever drained roughly $600m in cryptocurrencies from Poly Network is said to have returned at least $260m so far.

The cyber super-heist, revealed yesterday, was described by Poly Network as the largest of its kind in decentralized finance history. The Chinese biz, which handles the exchange of cryptocurencies and other tokens between various blockchains, today said more than a third of the money pilfered from its systems has been returned.

Here’s what Poly Network had to say earlier:

Poly Network said the crook was able to interfere with the execution of smart contracts – typically, small programs that automatically run to fulfill agreements between parties – that are used by the platform to exchange people’s tokens and coins. Thus, funds were siphoned off in transit as opposed to being extracted directly from digital wallets.

You can find more technical detail here by security analysts Slowmist, and here by blockchain watchers Chainalysis.

“The hacker exploited a vulnerability, which is the _executeCrossChainTx function between contract calls,” a spokesperson for Poly Network told El Reg. “Therefore, the attacker uses this function to pass in carefully constructed data to modify the keeper of the EthCrossChainData contract. It is not the case that this event occurred due to the leakage of the keeper’s private key.”

The team at Chainalysis put it more bluntly: “The attacker pulled off the heist by taking advantage of an exploit in the smart contracts Poly Network uses to carry out cross-chain transactions.”

Earlier, Poly Network publicly pleaded for the thief to return all of the stolen assets, and urged crypto-exchanges and others to refuse to handle transactions from specific wallet…

Source…