Attackers issued billions worth of several tokens on Sunday morning after exploiting a smart contract function in cross-chain protocol PolyNetwork’s bridge tool.
Bridges allow users to swap tokens between different blockchains using a smart contract by locking value on one network and releasing it on another.
PolyNetwork attackers were likely able to manipulate the way the bridge works and trick it into issuing tokens on one network which, in reality, did not exist.
Attackers minted 24 billion binance USD (BUSD) and bnb (BNB) on the Metis blockchain, 999 trillion shiba inu (SHIB) on the Heco blockchain, and millions of other tokens on various other networks, such as Avalanche and Polygon. This meant the attackers’ wallet held over $42 billion worth of tokens (on paper) immediately following the attack.
But an abject lack of liquidity prevented the attackers from monetizing the gigantic token stash. Metis developers confirmed there was no “sell liquidity available” for the BNB and BUSD, while the illicitly-issued METIS tokens were locked on the PolyNetwork bridge by developers.
However, the attacker found liquidity for other illicitly-minted tokens and was able to exchange 94 billion SHIB tokens for 360 ether (ETH), 495 million COOK for 16 ether and 15 million RFuel for 27 ether, analytics firm Lookonchain said.
“We noticed that hackers are transferring assets and 1 $ETH to new wallets, most likely for sale,” Lookonchain added.
Sunday’s attack was the second time PolyNetwork had been targeted by attackers. The protocol was exploited for $600 million in August 2021 – a then record hack – after the alleged leak of a private key that was used to sign a cross-chain message. As such, bridges remain a key, yet vulnerable, part of the crypto ecosystem: They are important for enabling the transfer of billions of dollars worth of tokens between various networks but have been the topmost target for attacks and hacks in the industry’s history.