The Root Cause Of Poly Network Being Hacked

On August 10, 2021, according to the news from the SlowMist Zone, the cross-chain interoperability protocol Poly Network was attacked by hackers. The SlowMist security team immediately cut into the analysis and shared the analysis results as follows.

The details of the attack

2. Since the owner of the EthCrossChainData contract is the EthCrossChainManager contract, the EthCrossChainManager contract can modify the keeper of the contract by calling the putCurEpochConPubKeyBytes function of the EthCrossChainData contract.

3. The verifyHeaderAndExecuteTx function of the EthCrossChainManager contract can perform user-specified cross-chain transactions by calling the _executeCrossChainTx function internally. So the attacker only needs to pass in the carefully constructed data through the verifyHeaderAndExecuteTx function for the _executeCrossChainTx function to execute the call to the EthCrossChainData contract PutCurEpochConPubKeyBytes function to change the keeper role to the address specified attackers.

4. After replacing the address of the keeper role, the attacker can construct a transaction at will and withdraw any amount of funds from the contract.

Process

https://bscscan.com/address/0x7cea671dabfba880af6723bddd6b9f4caa15c87b

2. The attacker used the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract to call the putCurEpochConPubKeyBytes function to change the keeper operation:

https://bscscan.com/tx/0x3eba3f1fb50c4cbe76e7cc4dcc14ac7544762a0e785cf22034f175f67c8d3be9

3. Attack transactions:

https://bscscan.com/tx/0x50105b6d07b4d738cd11b4b8ae16943bed09c7ce724dc8b171c74155dd496c25

https://bscscan.com/tx/0xd65025a2dd953f529815bd3c669ada635c6001b3cc50e042f9477c7db077b4c9

https://bscscan.com/tx/0xea37b320843f75a8a849fdf13cd357cb64761a848d48a516c3cac5bbd6caaad5

4. After the attack was completed, the keeper was modified, causing other normal transactions to be reverted.

5. The same operation on Ethereum:

Attacked contract:

https://etherscan.io/address/0x838bf9e95cb12dd76a54c9f9d2e3082eaf928270

The attacker Changes the keeper operation:

https://etherscan.io/tx/0xb1f70464bd95b774c6ce60fc706eb5f9e35cb5f06e6cfe7c17dcda46ffd59581

The Transaction that the attacker carried out the attack:

https://etherscan.io/tx/0xad7a2c70c958fcd3effbf374d0acf3774a9257577625ae4c838e24b0de17602a

Summary

Focuses on Blockchain Ecosystem Security, have served over 1k+ customers.

Focuses on Blockchain Ecosystem Security, have served over 1k+ customers.