EPISODE 94
 
Inside the Poly Network Hack

EP 94: Inside the Poly Network Hack

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

December 7, 2021

What can the Poly Network hack tell us about the state of cyber risk in the world of blockchain and smart contracts? Let’s find out with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

You’ll find more details about the hack here: https://research.kudelskisecurity.com/2021/08/12/the-poly-network-hack-explained/ and here: https://slowmist.medium.com/the-root-cause-of-poly-network-being-hacked-ec2ee1b0c68f/

Sign up for our free ethics CLE on December 15, 2021: https://www.eventbrite.com/e/1-hour-cutting-edge-cle-on-december-15th-at-12-pm-pacific-tickets-187700476177

Want to better understand crypto currency? Check this out: https://youtu.be/rYQgy8QDEBI

Tags:

Episode Transcript

Kip: Hey everybody, we're going to interrupt the start of the show with a brief announcement for the attorneys in our audience.

Jake: Do you need an ethics credit before the end of 2021?

Kip: If you do, we have a free continuing legal education course with your name on it, and it's practical for your law firm.

Jake: That's right. We're going to explore or reasonable cybersecurity, according to RPC 1.6(c) and the ABA formal opinion for 177R and how that specifically applies to risk assessment and data backups.

Kip: Yep. So join us online for our one hour cutting edge CLE. It's going to happen on December 15th, 2021 at noon Pacific time, and this is going to be live. And Jake and I are going to teach you how to operationalize these topics.

Jake: In addition to the ever valuable ethics credit you'll receive actionable advice that you can use right away.

Kip: Exactly. So I want you to sign up now and there's two ways to do it. You can go to eventbright.com and you can search for us and find the event or more helpfully, we've put the link for you in the show notes. So get down into the show notes and find it.

Jake: We hope to see you there. And now on with this episode.

Speaker 1: Welcome to the cyber risk management podcast. Our mission is to help executives thrive as cyber risk managers. Your host are Kip Boyle, virtual chief information security officer at cyber risk opportunities and Jake Bernstein partner at the law firm of K&L gates. Visit them at cr-map.com and klgates.com.

Jake: So Kip, what are we going to talk about today?

Kip: Jake, hi. Boy. I think this is going to be a cool episode. Today, we're going to go inside the poly network hack. Did you hear about the poly network and how it got hacked? That happened in early August 2021?

Jake: I believe I did. This was a DeFi attack, right? A cyber attacker stole something like 600 million from a decentralized finance platform provider. That's what DeFi means. I believe, is that what we're talking about?

Kip: Yeah, that's the one. Yeah, right. Now, here's one of the reasons why I think this is so interesting and why our audience is going to enjoy it. This is a cutting edge crime scene.

All right. Like the very place that it happened is so new for most people that I think we need to take a step back and we need to tell everybody what is decentralized finance and why is Poly Network, a platform provider in that space? And let's see if we can do it with ordinary business language instead of ones and zeros. You want to give it a try?

Jake: Sure. So first of all, DeFi is really about using cryptocurrency and "smart contracts" on blockchains. Wow, how's that for lik a sentence full of buzzwords. As a new way for organizations to pay each other without using a traditional centralized payment method like paper checks or ACH.

And the most common cryptocurrency being used in DeFi is a coin called Ethereum. So this is not Bitcoin. Bitcoin is a cryptocurrency, but it is not the one we're talking about today. So I don't think we need to go much deeper in this episode.

However, I do want to briefly explain blockchain as a concept only because I think it's relevant to the smart contract concept here. And actually I just watched a video that does a really good job of explaining this in super easy to understand language. And what it is, is if you just imagine a blockchain is nothing more than a series of records that have been hashed.

And a hash is like... That's a cryptographic signature basically. And so all you really need to know is that the hash will tell you if the hash changes, that means it's something. Something in the record itself has changed.

And so you shouldn't trust it. For purposes of this, that's all we care about. And so what a blockchain is, is it's a long chain, hence the name of these hashed records. And every time you add a new block, the hash includes all of the records from earlier in the chain.

So basically what it means is that if anyone tampers with the chain, the hashes are going to get all out of whack and you can say something is wrong and you don't necessarily know what's wrong.

You can't really tell that's crosstalk not how hashing works. Yeah. But you know that it's been tampered with. And so, in theory, this creates a... And I think it's important to say, it's not the case that you can't change a blockchain, right?

That's not what this is doing. What the point of it is, is that you can't change something in a blockchain without everybody knowing that's really what's important.

Kip: Right. And so in ordinary business language the term that I like to help people think about blockchain is it's an open ledger with-

Jake: Open ledger. Yes.

Kip: Yeah. It's an open ledger. In other words, we're writing down transactions and everybody can see what the transactions are. We can see where the money came from, where it went to, date timestamp, so on and so forth. Now it's pseudonymous because, we're just talking about wallet IDs, not exactly names.

Jake: Yeah, exactly.

Kip: But, it's an open ledger. We can see the transactions. And this is an open ledger that has, as you indicated, a tamper proof feature. In other words, if anybody tampers with it, it's immediately obvious that it was tampered with.

You can either have high trust in it because, there's no sign of tampering, because it's cryptographically sound or if it's tampered with you know right away.

So that's, what's great about blockchain and the whole idea of an open ledger. So, okay. Now, technically I don't want to go any deeper than that. I do want to say one more thing though, about Poly Network. Everything we're sharing with you right now is really important to understand the hack and to understand what happened. So there's just one more thing and that's this.

Poly network does something really interesting, which is if you have different blockchains and you want to do a transaction where you move cryptocurrency from one blockchain to a different blockchain. In other words, you want to go off one ledger and you want to go on another ledger. That's what poly network does.

Is it facilitates a peer to peer transaction that lets you move value from one ledger to the next ledger. Now that's a very specialized service that they're providing and this is all very new, right? This whole scene is new. All of this technology is new. It's been around for a few years, but it's not the same as the banking system, right?

This is in comparison infantile. So in terms of its maturity, it's all new. Okay. Now, I think that's enough basis for understanding what we're about to share with you. Poly Network was hacked and I think this is a really good illustration of the status quo.

And on this podcast, we've talked a lot about how cyber criminals and cyber soldiers have the rest of us completely outgunned.

And I think this is a per perfect example of just how outgunned we really are. And I think it also makes some other examples as well. So let's now get into the hack. So Jake, how were the coins stolen? Because, over 600 million dollars worth of coins were stolen. So how did that happen?

Jake: So the first thing that's actually a relief, is that the reports say that the coins weren't stolen by breaking the encryption. That's good. Because if a commonly used algorithm was somehow compromised, we've got much bigger problems than just Poly Network.

Kip: That's right. Yeah, that would destroy the underpinning for so much commerce across the board, even commerce, having nothing whatsoever to do with Bitcoin.

It would really mess with auto automated teller machines and all kinds of things, right? So it wasn't an algorithm compromise or anything like that. Okay? So that's good. So, okay. So Jake, how were the coins stolen?

Jake: Well, one more negative. The theft wasn't due to stolen private encryption keys either. And that's interesting because that's usually how cyber criminals will steal Bitcoin and other cryptocurrencies they'll do something like a SIM swap attack to gain control of a person's mobile phone number.

Then they'll reset the passwords to the accounts connected with the bitcoin owner's wallet. And then they transfer the coins into a wallet only they can control.

Kip: Yep. And yeah, so that's a very common way of stealing people's bitcoin is you compromise their account. You actually take control of the account and then you can move things around.

So two very obvious ways that you might think this 610 million dollars were stolen, but nope, neither one of those techniques were used. Let me tell you what happened. So this theft happens because Poly Network actually made implementation errors in their smart contracts.

Jake: Wait. They made a mistake?

Kip: They did. Yeah. They made a couple.

Jake: That never happens I thought.

Kip: They made a couple of big mistakes and the cyber criminals studied the way they did smart contracts and everything else. They studied, studied, studied for probably months. And they just picked them apart to try to figure out how do these things work? I mean, this is what cyber criminals do and more benignly, right? This is what white hackers do, right?

Is they pull things apart. Like, how does this work? I want to understand how this thing works. It could be a piece of hardware. It could be a software program, doesn't really matter. They like to take things apart and know how they work.

And that's exactly what happened here. Unfortunately, the poly smart contracts were not as well put together as they thought. And so there were access rights between two very important poly smart contracts, which allows them to move cryptocurrency from one ledger to another.

And these access rights were not managed correctly. They were too permissive and it opened up a vulnerability and that's actually how this exploitation occurred. And so there was an oversight on Poly Networks behalf, the cyber thief got in there and found it, and they moved the cryptocurrency and they could move it whenever they wanted, they could move it wherever they wanted.

It gave them full control over the entire amount of money. And so from Poly Network's point of view, what happened was they didn't practice good cyber hygiene in an area of their primary responsibilities to their customers. I mean, if you're going to use Poly Network or you're going to use anybody to handle your money, the integrity of the core processing platform has to be beyond reproach. And it wasn't.

Jake: Yeah, that's bad. But the reality is that, that kind of thing happens all the time in other areas, failing to patch servers, failure to make fast, reliable data backups.

If they shot themselves in the-

Kip: That's not new.

Jake: It's not new. And you know what, if you shoot yourself in the foot, how does that really prove that we're outgunned by these criminals

Kip: Ever the litigator aren't you Jake?

Jake: Yes, always. Once a litigator, always a litigator, still a litigator. That's just how it is.

Kip: Okay. All right, Mr. Boyle, please come to the point. Right? Okay. I'll do it. All right. That's what it looks like from Poly Network's point of view. Okay. That was kind of like their complicity in the crime, but now let's look at the cyber criminals point of view.

Okay. So they grabbed the coins. Boom. They hacked, they took the money, then what? Well, this is what happened. And this was sort of reported in the main media, but the way it was reported, just got me thinking like, this doesn't sound right. I need to dig. And so I started digging.

Well, what happened was is that the criminals grabbed the coins. And then after some delay fussing around having public conversations with people at Poly Network, the criminals gave back the coins, like all the coins. They gave back 610 million dollars worth of cryptocurrency.

And when they did that, they said publicly, oh yeah, no big deal, happy to return the money. And I want to you this quote, one of these quotes that the criminals actually released.

And he said, "My actions, which may be considered weird are my efforts to contribute to the security of the Poly project in my personal style". And okay, it doesn't take a lot to read in between the lines.

What was he actually saying? He was actually trying to say, hey, I'm a white hat hacker and I was never going to do anything bad with the money. I was never going to steal it. All I wanted to do was just demonstrate this vulnerability. So that Poly Network could fix it and everybody would be better off. That's what I was up to the whole time. Okay. So do you find that believable Jake?

Jake: In the parlance of the crypto community seems legit.

Kip: Okay. Well, I didn't believe that for a second. Sorry. I'm a doubter. I'm a cynist.

Jake: Well, no, no. It's that you're not a member of the crypto community because seems legit is generally meant as a...

Kip: Oh, that sarcasm, reign Supreme. Isn't it?

Jake: It is sarcasm. Reigning Supreme. Yes.

Kip: Okay. Well, cool. You're right. I'm not a member of the crypto community, but good one. Oh, well then fine. Then we're on the same page, right? So I'm like, come on. There's more to it than this, right?
He was right. It seems weird. It's too weird. No one's going to give back this money unless they don't have any other choice. So I started digging.

All right. Now I found two reports that I believe are much more likely as to the true story here. Now, we don't typically do show notes and we've talked about that. But this time it was so important that I share these URLs with you. And I can't possibly read them to you over the air. That would be dumb. So I've put them in the show notes. If you want to dig into this and I would be glad if you did.

Go grab the URLs, read the reports they're not too hard to read, but they also have a lot of details in there. So if you really want to understand this, go get them.

But here's the issue. Okay? This attack was way too easy. The cyber criminals were way too successful. They actually stole more money than they could quickly in safely anonymize and then use for their own purposes.
I mean, this was just pure greed and the ease of the theft would just sort of cause the cyber criminals to shoot their own selves in the foot here so it's just kind of comical. But I think the reason why this happened was because it was just like taking candy from a baby. The criminals stole more money than they could quickly and safely do something with, right?

They stole so much money that Poly Network saw almost instantly that they had been taken. And once Poly Network saw that they issued a public plea. On Twitter, they just said, hey, everybody, we just got ripped off, here are the addresses the coins...

Hey, everybody just cooperate with us and blacklist these stolen coins and don't accept them, don't process them. And so what Poly Network was trying to do is kind of isolate the criminals so that they couldn't move the coins around.

Now, they were actually successful at this. So the cryptocurrency community was super cooperative with Poly Network and they did in fact, blacklist the coins.

So what was the thief trying to do? Well, they were trying to launder the coins through something that's called a liquidity pool, and I'm not going to unpack what a liquidity pool is.

You can certainly go look it up and learn about that. But let's just say that it's good enough to know that if you put your coins into a liquidity pool, you can anonymize them. Right? You can actually then withdraw new coins, which are clean and then you can go about your business. All right.

So that's what they were trying to do, but Poly Network put a stop to it. Okay. So that was one thing that stopped them from getting away with all this money.

Now, the other thing that happened too, is that once this became publicly known, a bunch of security researchers started poking into this and guess what they figured out? Was that the person who had committed the theft using that particular wallet ID and other information, they had actually used that information in the past, on another blockchain.

It was an obscure blockchain, but never underestimate security researchers.

Jake: Totally.

Kip: This is awesome. Because the thieves weren't being careful about covering their tracks, investigators found out their current email address, their current IP address. And so it's like the jig is up, right? I can't move the coins and my identity is about to be blown. So because the criminals screwed up, they ended up in this bad situation.

Jake: So what's really interesting is that, as you were explaining that I just had two huge completely conflicting thoughts. And I think my second thought is actually the correct one. The first one was, gosh, if a network can just blacklist coins, what a terrible currency ultimately this will make, right?

This is just a ridiculous idea. Then I realized, wait, actually, no, this is exactly the same, but better in a lot of ways, than what banks have done for quite a while by putting ink bombs in cash bags and it's marked currency, right?
The whole point of an ink bomb going off in a bank's vault is to mark that currency as stolen. And you know what, it's the exact same concept. It's circulated around, other banks know, other businesses know not to accept that currency and now what's interesting about that is, again, this goes back to just a statistic from the YouTube video, which we might as well go ahead and we'll put it in the show notes since we have them for this episode.

Kip: We'll put those in too.

Jake: But it said that, despite the use of cryptocurrency for ransomware payments, it's like 0.37% of cryptocurrency is used for crime compared to like almost 5% for cash, which makes sense, because cash is actually anonymous, as long as it hasn't been subject to an ink bomb. Right?

Kip: Or the serial numbers written down.

Jake: Or serial numbers written down. So what's interesting though, is that in a lot of ways, a functioning cryptocurrency market, which I'm not saying we have yet, I think this kind of shows why we don't necessarily have it quite yet, but at some point in the Future one could see a reality where, this is potentially "better" than cash.

Whereas if a bad guy gets unmarked cash that is... Unless you happen to have the serial numbers written down. Yeah. That's anonymous. And anyway, just fascinating how they were able to do this and I think... Well, I want you to finish the story, because I think it's interesting how we get to the end here.

Kip: Yeah. Okay. So let's recap. So what happened was the criminal exploited, a smart contract flaw in the permissions actually.

Jake: And they did it well.

Kip: Yeah, they did. And so that was the weak point. Then that's what they exploited. They grabbed 610 million dollars worth of cryptocurrency and they were headed out the door and then Poly Network smashed the red button and everybody in the store blocked the exit.

And then somebody started to pull the mask off the thief so that they would lose their anonymity. Okay. So now at this point, what can a sane person do except return the money and try to make the case that they were just joking. Okay. And that's what that was, right? It's like, what choice do they have?

Jake: [Sike, sike 00:21:09].

Kip: Yeah, right. I was just kidding. Right.

Jake: Take care.

Kip: I just insulted you and your family, but I was just kidding. Come on, give me a break, right. Now, Poly Network obviously has some good supporters in the cryptocurrency community. There's no doubt about it because everybody rushed to their aid.

And to your point, Jake, that is kind of like the ink bomb going off in the canvas bag of currency that's being hauled out of the bank branch. But let me ask you this. What if Poly Network actually had an awful reputation in the crypto community and people wanted to see them fail?

Jake: Then they probably would've failed.

Kip: They probably would've failed. They would be out of business right now. Right now they would be out of business. They would be another Mt. Gox. And it would be like, okay, well, there's another one wiped off the face of the earth.

And there's 600 million in people's money gone. Right? Just gone. Laundered through a liquidity pool, never to be seen again. And so Poly Networks succeeded in part, because they were heroic, they had friends.

And because the cyber criminal shot themselves in the foot, they got too greedy and too impatient, and they tried to make a run for it because they thought they could get away with it. What a crap show.

Jake: Well, it's yes, but it's also super interesting.

Kip: It's very interesting.

Jake: We started off this episode by saying, we're outgunned seriously, badly, but the end result of this story, it actually shows almost the opposite that-

Kip: In some ways I think you can make that case.

Jake: So there's that, but at the same time, it's also fun for us because, we like to harken back to the days of Bonnie and Clyde and bank robbers. And you know, how fascinating is it, like this is as close to a bank robbery as you get in.

Like, oftentimes we'll say, we look at ransomware and we talk about crime, but ransomware is more like kidnapping, right? Which is a very different visceral... You have a different reaction to a kidnapping as opposed to just a bank robbery. Right?

But this is much closer to an actual bank heist. And it's just fascinating because I mean, good Lord, almost a billion dollars.

You know how hard that would be to take in cash? And if you had to physically haul it around, I mean, it's just interesting, like what it means for the future. And you're right. We don't want to lose track of the fact that, that was not really...

Just like it's not really the bank's cash in a sense, that wasn't really Poly Networks money. And again, this is one of those questions I have, is like we said, DeFi, is it really DeFi if you can break it all by attacking one component.
I don't know that this should qualify as DeFi. If that's the case, there's a single point of failure. I mean, how is that really any different than a bank that just, in the pre FDIC world, where if the bank lost money, it lost money. There was no backstop.

Kip: Right. And I think that's another important point here to mention is that there is no FDIC if... None of this stuff is FDIC insured. If the money gets stolen, you're just sol, there's no recourse, there's no backstop.

And so I just don't know that people really understand just how immature the system is and just how risky it can be sometimes. Maybe they do and maybe that's part of the thrill, and I'm sure over time, this is going to get better.

So I'm not condemning this and saying, it's never going to get better. I know it's going to get better. But I mean, if your Poly Network, your reputation's messed up right now, don't you think?

Jake: Oh quite. How would you trust them? I mean, as you said, they got lucky. They had some heroics and more so... I actually say this is more luck than heroics. They smashed the red button and they got lucky that people responded.

Kip: Because they didn't have a guard force. They had friends.

Jake: Yep.

Kip: And if their friends weren't feeling generous that day, they would've had nothing. So anyway, so Poly Network's still in business but their reputation's messed up and who knows, they might slowly die because who's going to trust their smart contracts. I'm not sure we're going to have to watch it play out. Right? We're going to have to watch play out.

Jake: The other thing just to mention is that, the other luck component is that the hackers in this case made... They also made a mistake in the past. Right? Reusing... What was it? A digital wallet number or something, some address that... Because, if they had actually stayed anonymous, they might have been able to still get away with something. I don't know. It's not exactly clear to me at this point but...

Kip: It could have. They could have parked the coins somewhere and just waited. Right? Just like, okay, I'm just going to wait until the heat's off. Right? But the fact that they were almost unmasked made the waiting option impossible for them. Right.

So tons of luck here. But let's just take it from the perspective of Poly Network. Okay. So who is in our audience? I would allege that based on what we know about our audience, people listening right now are people who are responsible for protecting the assets of their employers.

And so just pretend Poly Network was your employer, do you really want to be working for a company that has gone through an experience like this? If you're the owner or the senior decision maker of a company, would you want somebody to hack you like this?

And I guess my big takeaway for people in our audience is because I'm not really interested in helping the criminals get better, but if you want to get better at protecting your digital assets, you got to think about what would it have been like if I had been Poly Network and I think the lesson here is make yourself a smaller target, right?

Jake: Yeah. I think that's always the case, if it's possible to do so. The other thing is that, and maybe this is painfully obvious, but if you are a company whose existence is founded on cyber security, which I think is actually quite a few businesses not just cryptocurrency exchanges or DeFi networks or...

Kip: If you have an SSO based website you're depending on cybersecurity.

Jake: You really are. And I think that just means that like, you have to... Let's just say that Poly Network does go out of business, right? That means that there is some level of like... To some degree they would be willing to spend in theory, almost any amount of money on cyber security to prevent this from happening. Right?

Obviously, up to 610 million, perhaps. I kid, but the point being that... To me this is a failure of threat modeling and a failure of imagination. Poly Network didn't understand the ways that it was vulnerable and this was the result. And who knows if they'll recover.

It is interesting Kip. I think we would not look at a bank that was robbed and say, well, I don't trust that bank anymore because they got robbed, generally speaking.

And to maybe really stretch this metaphor, on the other hand, the question is, is, was Poly Network acting as... What was the situation here?

If a bank just used a plywood door and they're like, oh my gosh, we can't believe that all of our money got stolen. I don't think people would trust a bank that used a plywood door for its vault and maybe that's analogous to what Poly Network did here. I don't know. It's an interesting question.

Kip: Well, I think that if you want to compare Poly Network to a bank, I think we also have to put a caveat out there, which is this, banking is a highly mature industry, but there was a time before any of us were born, anybody old enough to listen to this podcast was born.

Banks were not highly regulated, highly trustworthy institutions. When banks in the United States first up, they were actually printing their own money. I mean, every bank printed its own currency and they had no FDIC.

Jake: That's where the name bank note came from.

Kip: Yeah, right.

Jake: And all a bank note was, was a receipt. And actually, interestingly enough, the YouTube video that I have now mentioned like 600 times also talked about this history, which is one of the reasons it's so helpful.

Kip: Yeah. And so just like we're seeing the emergence of cyber insurance as being analogous to the rise of fire insurance back in the 1800s.

I think that the rise of cryptocurrency and decentralized finance blockchain, and so forth, really hearkens back to the beginning of the banking system in the United States back to the 1700s, 1800s, and none of us were alive back then to remember it.

But I think if you study your history, you're going to see a lot of parallels here. And a lot of the bank failures that happened back in the day and a lot of the pain and suffering until the industry matured. I think we're going to relive that here in the crypto world. But the point of this episode is not to pick on cryptocurrency, blockchain, decentralized finance, and all that.

That's not the point. The point of the episode is just to make the case that we are still wildly outgunned by criminals, even greedy ones that shoot themselves in the foot.

Because you might say, well, Poly Network's fine. They got out of it. No, they didn't. First of all, they got lucky. They almost lost all their money. They almost went instantly out of business. Remember cyber is an existential risk now, right? It can put you out of business in a flash. And that almost happened to them.

Certainly their reputation's messed over. So you can't say they came through unscathed, because I don't think they did. And I think this lesson is portable. I think it's portable to anybody who's doing business on the internet today.

And so you have to treat it as a business risk. You got to bring in people, process technology and company policy, whatever it is, you need to bring it all into play because your business' life can get extinguished. And in a moment's notice, if you're not careful. We are outgunned everybody.

Jake: Agreed. All right. I think that's a wrap.

Kip: All right. And I will in fact, declare that this wraps up this episode of the cyber risk management podcast. Today, we went inside the recent Poly Network hack to see what we could learn about the state of cyber risk in the world of blockchain and smart contracts and what it can tell us about our own cyber risk management landscape. We'll see you next time.

Jake: See you next time.

Speaker 1: Thanks for joining us today on the cyber risk management podcast. If you need to overcome a cybersecurity hurdle, that's keeping you from growing your business profitably, then please visit us@cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.