One of the many promises that the proponents of decentralized finance make about DeFi is that it is building an uncensorable financial system, incapable of being turned off or shut down by any one entity.
But the events following the record-breaking hack of Poly Network may raise serious doubts about the reliability of such promises.
Poly Network is an interoperability protocol that connects various blockchains which falls under the umbrella of DeFi, a catch-all term used to describe a collection of financial products that facilitate the lending, borrowing, and trading of crypto assets without the need for third-party intermediaries.
In a tweet on August 10, the team behind the multi-chain crypto project said the network was “attacked on Binance Chain, Ethereum, and Polygon.”
Important Notice:
We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s following addresses:
ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963
BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71— Poly Network (@PolyNetwork2) August 10, 2021
Once the dust settled, it became clear that the attacker had made off with roughly $600 million in various cryptocurrencies. That makes the Poly Network hack the largest exploit in crypto history, outranking even the infamous Mt. Gox hack from 2014.
While the biggest, Poly Network is far from the first significant breach in DeFi—it’s been a particularly bad year for the DeFi industry.
A report published by CipherTrace—right before the Poly Network exploit occurred—found that DeFi-related hacks were up 270% in 2021 alone. The industry had already lost $474 million since the publication of the report, a number that more than doubled in a matter of hours.
Despite the rampant lootings, some within the industry point to the fact that the crypto industry—let alone the nascent DeFi sector—is still in its very early years.
“Given how early DeFi is and has been in the spotlight for, of course, these newer projects haven’t been battle-tested. In 10-20 years, the space would have matured and be less susceptible to these types of attacks,” Charles Storry, head of growth at crypto index provider Phuture told Decrypt.
Storry, instead, pointed the finger at Poly Network’s team specifically. “This is down to poor management and questionable security on Poly Network,” he said.
On Tuesday, security auditor BlockSec provided a not-yet-verified explanation—the theft could be due to either “leakage of the private key,” or “a bug in the signing process of the Poly Network that has been abused to sign a crafted message.”
At the moment, approximately $342 million worth of the stolen funds have been returned, with the promise of more to come.
DeFi’s centralization concerns
Beyond just protocol security, the hack also raises key questions about decentralized DeFi truly is.
Just an hour after the Poly Network exploit, the CTO of stablecoin-provider Tether announced that $33 million in USDT involved had been frozen.
. @Tether_to just froze ~33M $USDt on 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 as part of the #PolyNetwork hack https://t.co/EviPTAkQJD
— Paolo Ardoino (@paoloardoino) August 10, 2021
“[No problem]. Team work,” said Paolo Ardoino of Tether. “Thanks for the heads up. Tether does its part to help protect the community.”
Frozen in this sense means that the attacker’s USDT could no longer move or transfer the tokens, essentially limiting his total payout. And in events like this, it can be the only solution to stop the siphoning of funds.
“Running contrary to the promises of DeFi, the best hope in such situations are centralized players, namely law enforcement and stablecoin providers,” Ingo Fiedler, co-founder of the Blockchain Research Lab (BLR), told Decrypt.
Tether has frozen assets on multiple occasions following similar exploits and hacks. In February this year, for example, the stablecoin provider froze $1.7 million that was stolen from the popular DeFi project Yearn.Finance.
Elsewhere, CEOs and founders of larger crypto exchanges including OKEx, Huobi, and Binance announced their efforts to block any of the funds that may pass through their platforms.
“We are aware of the [Poly Network] exploit [that] occurred today,” said Binance chief Chanpeng Zhao. “While no one controls BSC (or ETH), we are coordinating with all our security partners to proactively help. There are no guarantees. We will do as much as we can.”
But when Circle, the firm behind another popular stablecoin called USDC, failed to respond and freeze the USDC involved in the hack, members of the crypto community demanded action.
“Binance and Circle need to explain why the [$3 million] BUSD and [$26 million] USDC stolen by hackers are not frozen,” tweeted crypto-journalist Colin Wu. “This case of the largest amount of money in DeFi history may have a great impact on confidence and supervision.”
Binance and circle need to explain why the 3m BUSD and 26m USDC stolen by hackers are not frozen. This case of the largest amount of money in DeFi history may have a great impact on confidence and supervision. @circlepay @jerallaire @binance https://t.co/9jjGlgFmyn
— Wu Blockchain (@WuBlockchain) August 11, 2021
What’s more, this wouldn’t have been the first time Circle has frozen assets. In July 2020, the firm froze $10,000 worth of USDC, citing “binding court orders that have appropriate jurisdiction over the organization.”
These events, as well as the latest Poly Network exploit, serve as a reminder of a much bigger question for the cryptocurrency industry.
“The Poly Network hack showed again the risks involved in DeFi and likely makes people think a second time before using DeFi products,” Fiedler said. He added that the need for more thorough audits and insurance as crucial elements to instill confidence in such products.
Lennart Ante, a researcher at the Blockchain Research Lab and Fiedler’s colleague, echoed similar points.
“The many hacks in the unregulated DeFi area show that there is a large market for insurance that has not yet been tapped,” he told Decrypt.