On August 10, 2021, in the heat of the bull run, the Poly Network (not to be confused with Polygon) was hit with the biggest crypto hack to ever occur at that time (now surpassed only by the $625 million Ronin Network hack).
The hacker(s) was apparently able to exploit a weakness in the smart contract that the Poly Network was using to bridge between Ethereum, BSC, and Polygon, allowing them to divert the bridge liquidity to their 3 personal wallets. They made away with around $611 million in 12+ different cryptos including ETH, WBTC, USDT, USDC, and DAI.
That same day, the Poly team made a public request on Twitter for the hacker to open a dialogue, and urged them to return the assets. The hacker replied the next day by embedding a message into the data field of an Ether transaction that he sent to the Poly team:
PLEASE BE PATIENT. JUST SIGNED TRANSACTIONS OF USDC & DAI A FEW HOUR AGO.
The Poly Network received a large amount of returned assets that day.
Using the same communication technique, the attacker held a Q & A. He declared that he had always intended to return the stolen assets, and that he merely wanted to demonstrate a security flaw in Poly's protocol so that it would be fixed. Over the following few days, he returned over half of the coins, and put the majority of the remaining coins into a multisig wallet controlled by himself and the Poly team. Around this time the Poly team started to publicly refer to the hacker as “Mr. White Hat”.
Over the next week, Mr. White Hat and the Poly team communicated back and forth, with the Poly team eventually seeming to use transaction messages as well. Mr. White hat threatened to delay the return of the assets if the Poly Network's vulnerabilities weren't fixed. Some notable messages were:
YOUR ESSAYS ARE VERY CONVINCING WHILE YOUR ACTIONS ARE SHOWING YOUR DISTRUST, WHAT A FUNNY GAME,
and
I AM NOT READY TO PUBLISH THE KEY IN THIS WEEK
The Poly Network sent him 160 ETH (then worth a little under half a million dollars) as a bounty in hopes he would return the remaining assets. They also offered him a job as chief security advisor.
On August 25, 15 days after the hack, Mr .White Hat returned all of the remaining stolen crypto. It is not known whether he accepted the job, or just faded back into obscurity with his 160 Ether.
Whether or not the hacker was truly “White Hat” is disputed, with some prominent voices criticizing the Poly team for “whitewashing” the criminal actions of the hacker with the moniker they chose. Chainalysis CTO Gurvais Grigg suggested that Mr. White Hat returned the assets due to the difficulty of laundering them.
In the aftermath, the Poly Network launched a bug bounty program called Immunifi which pays people rewards for finding bugs in their code.
Coindesk
Also Coindesk
Wikipedia
Reuters
I mean 160 ETH is still a great bounty and not to mention he became a legend and doesn’t have to watch over his shoulder forever now.
Worth it in my book
Now that is how you make a white hat living. Damn, despite the massive loot his honesty still made him some life changing money if invested well.
I remember when everyone freaked out because they thought it was poly-matic
poly Network doesn’t learn the hard way just cost about 160 ETH instead $625 Million stolen
It’s not rare that hackers get recruited and turn into white hats, also, 160 ether as bounty? holy shit that’s amazing!
[deleted]
NETFLIX should make a series about this incident. I was literally on the edge while reading this story.
Dude went from hacker to Mr white hat, chad found a security flaw in poly network and then returned all the funds and received 160ETH bounty, also received a job offer as chief security advisor.
Worth noting: Embedded messages in data field of an Ether transaction between hacker and poly network was quite intriguing.
So he hacked and got rewarded 160 ETH, because he return it all?
Imo he is a smart genius head and didn’t think about what followed before.
He did it, because he could, and than recogniced, what he had done.
And solved it brilliant.
Doesn’t matter if he was a white hat, gray hat or black hat.
Returning the funds for a bug bounty compensation is what a white hat would do. Better him to do it then someone who would sit on 600M in crypto.
No amount of money is worth feeling like a criminal.
Now he has some karma points back.
[deleted]
What a legend. Hats off!
Ethereum pros & cons with related info are in the collapsed comments below.
in other words, he still escaped the temptation in time
Crime pays well, honesty pays modestly, but at least he can sleep at night
If a hacker pulls off a hack on your platform, he is not a white hacker anymore.
Call me crazy but stop rewarding hackers, it attracts more hackers
And yes I get they need to get the funds back and this is the cheapest option but damn
160 ETH is a pretty good reward for exploiting the loop holes. Good job by him for giving the stolen coins back.
>YOUR ESSAYS ARE VERY CONVINCING WHILE YOUR ACTIONS ARE SHOWING YOUR DISTRUST, WHAT A FUNNY GAME
Okay but this line has no right to go so hard, this is some Jigsaw level quote lol
Humility in humanity restored
I was there, 3 000 years ago
Good on them.
what a story dude
North Korea: 👀
Technically he’s a grey hat, but still good on him for returning the funds
Imagine waking up, hacking $600 mil, then thinking “Nah, too much work, I’ll return it.”
This was the work of my grandma
160 Eth is not to be sniffed at
Mr. White Hat exploited a vulnerability in Poly Network’s smart contract, resulting in the diversion of $611 million worth of assorted cryptocurrencies. Astonishingly, the hacker initiated a dialogue with the Poly Network via encoded messages within Ether transactions. What followed was a series of negotiations that led to the eventual return of the stolen assets, in exchange for a 160 ETH “bounty” from Poly Network. This move has prompted serious discussions in the realm of regulatory compliance. Can a ‘bounty’ absolve an action initially perceived as criminal? Furthermore, the Poly Network’s subsequent governance response included the launch of the Immunifi bug bounty program to encourage ethical hacking. This entire episode serves as a cautionary tale, highlighting the urgent need for robust compliance mechanisms and governance structures in decentralized networks.
I mean i knew about the hack but this is so interesting, can someone explain in basic terms how they communicated through transactions? Kinda new here
If you had written “faded back into the ether” rather than “faded back into obscurity” you would have nailed the post. Shame. /s
>Chainalysis CTO Gurvais Grigg suggested that Mr. White Hat returned the assets due to the difficulty of laundering them.
Very unlikely.