Decentralized Finance (“DeFi”) eliminates middle and third parties, respectively, for a future where finance is frictionless – at least, this is the long-term goal. As the Total Value Locked (TVL) in DeFi grows exponentially, increased attention is being paid to it. As such, with more money at stake, it is likely that more attempts will be made to hack these protocols, and in time, a small number are likely to succeed.
The Poly Network now holds the world record for not only the largest Cryptocurrency exploits event via a hack but also for one of the largest known financial heists in history. At present, creators, hackers (Not all hackers are bad), regulators, and market participants are operating in a more integrated way than they have done previously. With TVL displayed in real-time and seemingly ever-growing bounties for bad actors, the risk-reward ratio is greater than most people can envision.
An example of this was the PolyNetwork Hack. In this case, the Poly Hacker (as we will call them) took control of cross-chain liquidity programming mechanisms via a “keeper logic exploit.” They were thus able to take advantage of the fledgling ecosystem that had a TVL of over $600M deposited into its smart contracts. These contracts were designed to create dynamic yielding opportunities for participants. These production hacks are generally the most lucrative for hackers – especially when funds are locked in a “keeper” that communicates across blockchains as a prerequisite for bonding various blockchains together. As noted in a recent CipherTrace report, 75% of all hacks are now on DeFi, as permissionless value in a pure-play free-flow format creates a “you don’t know what you don’t know until you know” scenario. The Poly Hacker was so brazen to even communicate through text-input capabilities on Ethereum with one such message reading “…WHAT A FUNNY GAME” while indicating they are returning the funds not because they have to, but because they know that any movement of the stolen funds will immediately be flagged.
In some parts, the Poly Hacker is playing a game, but there is also a more sinister side too. Essentially, the Poly Hacker has taunted the community, while most of the funds are still locked as Poly Network pushes updates through. A significant concern was that Tornado.cash offered enough obfuscation to launder the ETH over time without anyone being able to do anything about it. Whereas, on the Binance Smart Chain, those funds were returned first and foremost as Founder CZ has centralized control elements in place that acted as a deterrent, unlike the decentralized community of Ethereum and Polygon.
Occurring on August 10th, ten days later, the drama that has played out is worthy of a Hollywood movie with more information made available by the day. Most notably, given the positive outcome with the funds slowly being returned, Poly Network offered “Mr. White Hat” (A White Hat is a name often given to a hacker looking to do no harm) not only a bounty of $500,000 for returning the funds, but they also made a very serious offer for the Poly Hacker to become the project’s Chief Security Advisor. It is unclear if they are to accept either the “bounty,” which has been paid to their wallet in ETH or the job they never asked for! In the midst of all the chaos, the overall long-term outcome for DeFi could not be any better with top projects such as OpenZeppelin solving exploits through bug-bounty initiatives, competitor projects securing their own networks even after hacks themselves, i.e., ThorCHAIN, and auditors such as CertiK securing newfound levels of trust across blockchain projects.
These elements of DeFi are congruent with the forthcoming regulatory and compliance era where innovation and regulation will collide.