The biggest decentralized finance (DeFi) hack, of interoperability protocol Poly Network, with roughly USD 600m stolen is not over just yet, as the attacker has not yet provided the final key of the multisignature wallet, stating that they will provide it «when everyone is ready.» However, the attacker has been offered a significant position on the team.
In the latest development of the saga, the Poly Network team stated that it has completed the second phase of its “Mainnet Upgrade” and maintained constant communication with the hacker. The team behind the protocol has offered whom they call “Mr. Whitehat” to become the project’s Chief Security Advisor as a response to his security and overall development strategy concerns.
“To extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network,” the team said, while also reiterating the statement that the attacker will be free to use USD 500,000 bounty at their own discretion without any legal repercussions whatsoever.
After a silent weekend, the attacker continued to leave messages and answer questions embedded in the Ethereum transactions.
Notably, after initially refusing to take the USD 500,000 white hat bounty, the attacker appears to have changed their mind and is now considering to take the money from the Poly Network as a reward for other public hackers if they can hack the network.
In the hacker’s own words:
“MONEY MEANS LITTLE TO ME, SOME PEOPLE ARE PAID TO HACK, I WOULD RATHER PAY FOR THE FUN. I AM CONSIDERING TAKING THE BOUNTY AS A BOUNUS FOR PUBLIC HACKERS IF THEY CAN HACK THE POLY NETWORK. (THEY CAN WIN DOUBLE IF THEY FEEL THE CURRENT PLAN IS AWKWARD).”
Besides, the tone of communication seems to have changed into a more demanding one, as the attacker stated that the Poly Network’s bounty is “imaginary” and in case the hacker does not get it, they have sufficient budget to make “the show go on,” saying:
“IF THE POLY DON’T GIVE THE IMAGINARY BOUNTY, AS EVERYBODY EXPECTS, I HAVE WELL ENOUGH BUDGET TO LET THE SHOW GO ON. JUST SOME FUNNY THOUGHTS BUT I MAY PROBABLY MAKE THEM COME TRUE. IF YOU ARE STILL CONFUSED, ASK SOME RICHER FRIENDS, WHAT IS MONEY FOR?”
Then they added:
«WHO DO YOU THINK IS DOMINATING THE GAME?»
In response to the messages, the Poly Network team has launched a separate USD 500,000 bug bounty program in partnership with Immunefi, a bug bounty platform for smart contract vulnerabilities.
The announcement states that a successful critical vulnerability disclosure will be rewarded with USD 100,000, and the total bounty pool consists of half a million dollars. Besides, the Poly Network released a security roadmap to help “restore user trust” in the protocol.
“With the aim of ensuring complete, safe, and smooth asset recovery, we would like to briefly share Poly Network’s roadmap for resuming operations and fully recovering user assets in the coming phases,” the team wrote.
At pixel time, the attacker has sent nearly all taken funds into the multisignature address created by the Poly Network team, with the exception of 33.2m USDT frozen by the Tether network.
Nevertheless, they are yet to provide their key required to complete the return of the funds. In the message, they stated that they do trust some of the Poly Network’s code, but not the whole Poly Team, adding that they are confident of the team’s desire and capability to recover and secure the project which he described as “a robust system.”
“MY ONLY CONCERN IS THAT THE POLY CHAIN, THE CORE PART OF THE NETWORK IS NOT VERY DECENTRALIZED, AND THAT IS NOT SOMETHING I CAN CONTRIBUTE TO. MAYBE I AM WRONG,” said the hacker.
They further expressed surprise that the Poly Network team called themselves “professional negotiators” and stated that they will “provide the final key when _everyone_ is ready,” concluding that:
“I MIGHT RELEASE IT EARLIER AS LONG IF THE COMMUNITY UNDERSTANDS EVERYTHING.”