A white-hat hacker exposed a vulnerability in Poly Network.
Earlier this week, a sum of Tether cryptocurrency was stolen from Poly Network, a decentralized finance system, or “DeFi,” that uses blockchain to facilitate services like loans and trading. The dollar equivalent of the stolen Tether coins was $600 million, making it one of the largest thefts of cryptocurrency ever. Luckily for Poly Network, it seems the perpetrator behind the crime always had intentions to return the money.
Today, the vast majority of the stolen Tether coins were safely returned to Poly Network’s control. The unnamed hacker reached out to Poly Network, identifying themselves as a “white hat” hacker. White hat hackers perform somewhat civil services, penetrating vulnerable networks with the intent of informing the owners of said network about their vulnerabilities. According to the hacker, they only conducted the hack for fun, and were planning to return the money from the very beginning. For finding this rather severe vulnerability in their system, Poly Network offered the hacker a “bug bounty” of $500,000, though the hacker turned it down.
— Reuters (@Reuters) August 13, 2021
The only problem is that, while most of the stolen Tether has been returned, approximately $268 million worth of it has not been. Due to a particular characteristic of Tether as a cryptocurrency, the money was placed in a separate account that requires special passwords from both Poly Network and the hacker to access. The hacker turned down the bug bounty because they wanted a guarantee they would not be held legally responsible for the event, and intends to hold the last bit of Tether until they’ve received that guarantee.
“It’s likely that keys held by both Poly Network and the hacker would be required to move the funds — so the hacker could still make these funds inaccessible if they chose to,” theorized Tom Robinson, chief scientist of blockchain analytics firm Elliptic.