Security Research

How Forta Could Have Prevented Poly Network’s $600M Hack

October 25, 2021

This is the first post in what will be a regular series exploring noteworthy smart contract security events in the industry and how Forta could have helped.

First up, Poly Network

Poly Network is a cross-chain DeFi protocol that allows users to move assets between different L1 and L2s. When you want to move a token from one blockchain to another, you don’t physically move it. Instead, you lock up assets on one side and issue an equivalent amount of new assets on the other side. The key is making sure only assets on one side of the equation are available at a time. The smart contracts that facilitate this activity are called a “bridge”, and the bridge’s job is to keep track of the locked and issued assets across multiple chains.

As is now well chronicled, the Poly Network was exploited on August 10 for $610M, making it the largest DeFi hack in history.To understand exactly what went wrong, you need to understand the role of two Poly Network smart contracts – CrossChainData and CrossChainManager

CrossChainData manages access to Poly’s wallets on different blockchains. It’s like a bouncer with a clipboard standing outside a party. If you’re not on the list, you can’t get inside. In this case, being on the list means you have access to Poly’s wallets on various chains. 

CrossChainManager can trigger messages from another chain to the Poly chain. It is also an owner of the CrossChainData contract, meaning it can execute otherwise privileged functions within the contract – like changing the names on the clipboard!

The hacker was able to manipulate the CrossChainManager contract and initiate a transaction that replaced the authorized public keys in the CrossChainData contract with the hacker’s public key. With Poly’s wallets now under the hacker’s control, the assets were funneled into their own wallets. 

Before we discuss how Forta could have detected this exploit, it’s important to note this exploit was carried out over 184 blocks (roughly 40 minutes) in a series of transactions. Detecting the first suspicious transaction is critical to preventing or mitigating damage. 

How Forta could have helped

In this case, the first suspicious transaction was the CrossChainManager replacing the keeper public keys with the public key of the hacker in the CrossChainData contract. 

A Forta detection bot could have been written to monitor any change to the keepers listed in the CrossChainData contract. If a change was detected, the bot would fire, emitting a public alert notifying the Poly Network, community and the ecosystem at large. Early detection of the keeper change would have allowed the Poly Network team to pause their CrossChainManager contract and prevent any withdrawals from their wallets. Other stakeholders downstream of the Poly Network could have taken their own steps to minimize loss.

The keeper change wasn’t the only exploit that a Forta detection bot could have detected. Another condition Forta detection bots could have monitored were asset balances in the Poly wallets. If the wallet balances drop by a certain percentage, for example, the bot would fire, emitting another alert. Detecting the exploit at this stage may not have prevented the loss completely, but it may have mitigated it. 

Both example detection bots mentioned above – monitoring a change to the keepers listed in the CrossChainData contract, and monitoring the balances of the Poly wallets – have been written and published by the Forta core development team. Anyone, including the Poly Network team, can subscribe to these alerts.

If you’re a protocol team interested in using Forta, reach out to us here. If you’re a developer interested in writing your own detection bot on Forta, use the Forta Detection bot SDK to get started! 

For a more technical explanation of how Forta could have detected and prevented this exploit, check out the Youtube video below.

https://www.youtube.com/embed/d8aNJTXywvc

Share