Investors lose their life savings in a cryptocurrency scam.  Reportedly, Poly Network got hacked for more than $600 million across Ethereum, Polygon, and BSC.

Polynetwork expressed:  Important Notice: We are sorry to announce that #PolyNetwork was attacked on @BinanceChain @ethereum and @0xPolygon Assets had been transferred to hacker’s following addresses: ETH: 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 BSC: 0x0D6e286A7cfD25E0c01fEe9756765D8033B32C71

We call on miners of affected blockchain and crypto exchanges to blacklist tokens coming from the above addresses. Furthermore, we will take legal actions, and we urge the hackers to return the assets.

After preliminary investigation, we located the cause of the vulnerability. The hacker exploited a vulnerability between contract calls; the exploit was not caused by the single Keeper as rumored.

In response Paolo Ardoino expressed:  “@Tether_to just froze ~33M $USDt on 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963 as part of the Polynetwork hack.”

Mudit Gupta gave a Correction: They originally had 4 keepers. At least 3 of which were compromised. The attacker proceeded to swap the four keepers for a single keeper.

Rumor about Single Keeper:  Analysts have to say that this was not a DeFi or smart contract hack, but it is a traditional key compromise that has been combined with irresponsible design decisions which Poly Network has taken.

The smart contract needs a majority of keepers to sign an action for it to execute. Typically, it is a multi-sig. A multisig should have more than one signers, but it just looks like Poly Network used just a single keeper.

The Keeper had control over all funds. The hacker got hold of the Keeper’s key by using traditional hacking techniques. Or probably someone in the team colluded, which might not be clear without proper investigation.

They used the Keeper’s key to sign instructions which ultimately ordered the smart contract to transfer all funds to the hacker. The smart contract verified the signature, and since there was only one signature needed, it verified and processed the request.

This is reportedly the most significant crypto hack ever. This is not a DeFi hack; it is a lot similar to traditional hacks of Crypto Startups, which is quite similar to the past hacks of Crypto Exchanges. Thus, requiring thorough investigation by sovereign agencies.

Also, they have not verified their contract on Etherscan. Therefore, Etherscan is considered to be the defacto place to verify.

Community response:  How the hell did such a low-quality project get 600M of liquidity? Guessing they just offered a billion % APY and people aped.