5 years ago I could have been sitting around and joking about, “how one blockchain would rule them all”, and many of us back then, including me, would have smiled and looked around hoping that no one realized that we didn’t know what the heck they were talking about.
Now, Reddit is on fire with the latest hack–this time it’s a technology called Poly Network. I think it’s about time we dig in our heels and get to the bottom of exactly what happened. Today, I spent 7 hours after hearing about how Poly was hacked trying to understand it… These are those seven hours translated into this mostly unedited prose–my theory of how Poly was hacked. But before, let’s lay some groundwork as to the building blocks of this challenge ahead of us. Let’s make sure we understand it all. From the beginning.
So what do we know about blockchain technology?
We all know that blockchain is a decentralized digital ledger that can’t be altered after a transaction has been entered, and we all know that there is some cryptography involved in that transaction. What we didn’t know and what many of us still don’t know is exactly how this is all being accomplished. And, why is it even important?
Now, we all have thousands of dollars invested into these “blockchains” and I suspect, that many of us still don’t know exactly how these things work. I’m with you in this. Even though I have years of experience with computers and programming, truly understanding blockchain is a challenge.
I don’t understand every project and if you corner me and get me to explain exactly what blockchain is, down to the 1s and 0s, I might stutter a little. So let’s start there. Let’s clarify exactly what Blockchain and let’s go over the past. Let’s take a hard look at our understanding of blockchain.
Why is blockchain important?
Blockchain is becoming the tool in which we, a global people, are using to reshape the way that social-economic operations are performed.
We are using it as a reshaping mechanism for how we store assets, how we define our identities, how we perform online data storage, and, maybe the most important and relevant: in how we perform financial operations.
Think about the implications of this. We don’t need banks for loans, we don’t need Fort Knox to send us gold, we don’t need credit scores, we don’t need the current financial system anymore. If I want to loan a buddy in Slovakia 1000.00USD, I can send it to him in a second without him having to show anyone ID.
And even better, we can mine money out of thin air and electricity.
We are doing this all with a tool that is much like a database, but instead of the database being stored in an Amazon data center, it’s being stored on thousands of computers spread around the world. Those computers are owned by citizens usually, governments definitely, and hackers as well.
“Public” blockchains like the one that stores Bitcoin data, can be hosted by anyone. There is full transparency of the records that are stored and public blockchains can provide security, a degree of anonymity, and have no formal rules other than a read and write functionality.
There are “private” blockchains that are run by specific organizations in specific industries–those are hosted on private servers that restrict outside access… Think about a blockchain that Walmart might use to record all of its supply chain activities. Target probably has a different one, and then there is the Amazon blockchain storing its information.
The real power of blockchain is that it’s open-source (anyone can use it freely), it’s decentralized (nobody owns it) and it’s powerful AF (united we stand, indeed.)
Not to mention we are using it to change our fortunes, secure our identities, and NO ONE can regulate how it works. Think about that. We can create laws on how to tax it, but a true public blockchain can’t be controlled by any single entity–it’s a computer program that runs like a virus, independent of the original host.
What is the problem with Blockchain in 2021?
Blockchain is exploding. There are massive projects within it and this has created massive development efforts with thousands of programmers, millions of lines of code, and thousands of different public, private and alliance blockchains. The problem that projects like the Poly Network are trying to solve is obvious. How do we get these blockchains to work together in true, inter-operation? How do we get ETH and BTC to work together? How do we get DOGE and SHIB to play nicely? More specifically, if I have 1000.00 USD in value in DOGECOIN, how do I convert it safely into SHIB tokens?
These are the types of questions that come to mind immediately, and it is this curiosity that I hope will fuel your mind to go in deeper still. Yes, we do have protocols out there that do this nicely, exchanges as well… but even those aren’t a true IBC protocol.
Back to The Future Part 4
The problem that we are seeing today is similar to the one that we had in the 1990s. Islands of Data with oceans of garbage in between them. We’ve got Ethereum. On top of Ethereum, we are now starting to build projects that are distinct and different from each other–and for good reason. Each new project built on Ethereum is doing so for its own purposes… Some projects focus on security, some focus on efficiency and fast transactions, some focus on the ability to execute contracts, and some are focused on things like identity management. The point is, it’s obvious why we have projects for specific industries in the Ethereum space. What’s not obvious is how we coordinate all of that so they can work together somehow.
Enter the Poly Network
The Poly Network—link to whitepaper here— resolves trust, security, and transactions between blockchains. It was created as a safe and easy-to-use tool to bridge the gap between the different “chains”, and to be a “cross-chain” system. The Poly Network provides a number of features:
- Easy to join.
- Supports Atomic Transactions.
- It can support digital asset data and arbitrary data (You can use it to transact between things like BTC, ETH, NEO, Ontology Network, and Cosmos)
- Its security is cryptography based, so it’s strong.
- It is ECO and compliance friendly, you can use it to interact with private, public and alliance blockchains.
Think of the Poly Network as a separate, side-chain, blockchain that is used to coordinate transactions between the many different protocols. Its goal is to be a universal protocol and to fill the inter-blockchain communications (IBC protocol) gap.
As I was reading through the whitepaper, I had to poke around the internet to find references for things and to make sure I’m telling it to you straight. There is some good information there–and a lot of that information I put into this article already–specifically about the need for an inter-blockchain communications protocol.
While I was making sure I knew what every notation means in a Moore State Machine, I came across a few reddit posts that show a Q and A from the Poly Hacker his/herself.
If I’m trying to understand the Poly hack, why not first read what he had to say. He tells you exactly how he did it, but you need to understand it the way I do now. Let’s go through it line-by-line.
Thoughts on the above.
#1 “BELIEVE IT OR NOT, I WAS _FORCED_ TO PLAY THE GAME”
This simply means he probably couldn’t find a pre-existing hack that someone else already has created. The dark web has quite a lot of resources available if you want to be a bad “script-kitty” and play a hacker. This guy is just telling us in sarcastic hacker talk, “I had to do actual work and hack this baby with my own bare hands.” He had to write code to hack this… he had to do work. On to the second paragraph.
#2 “THE POLY NETWORK IS A SOPHISTICATED SYSTEM…”
This is where he tells us how he did it, even though he doesn’t tell us directly. He says he tried to build a local testing system, but he couldn’t. Let’s unpack that bit of information.
The local testing system would have been three systems, so yes, it would be complicated. It would require two blockchains, and then a third blockchain running the Poly protocol. Let’s say he was trying to exploit the interaction between say, SHIB, and DOGE, both shitcoin tokens with open-source code, and both are different blockchains (SHIB is an ERC-20 token on Ethereum, and DOGE is like Bitcoin, only it doesn’t use SHA-256 for its PoW). He mentions SHIB for some reason as well, but let’s not get off the topic.
To hack the real cryptocurrency systems, he needed a testing system (virtually or physically) that could mimic real-world shitcoin systems.
“I FAILED TO PRODUCE A POC AT THE BEGINNING.” On one server, he was running his version of SHIB, and on another server, he was running his own DOGE chain. Then he was trying to run the Poly Network code on a third system, the system that would facilitate the cross-chain interactions. He says that he almost gave up, but then had an “AH-HA” moment.
Authors Note: Now I believe that the time it might take someone to setup this system could be hours or days. So, it’s interesting to me how he phrased this part. It leads me to believe that there was more time that passed than what he might want to lead others to believe. This is just my intuition on it, and I’m not sure why I find it important right now.
Hacking isn’t glamorous, it’s really getting into the nitty-gritty. We’ve all tried to hack something, maybe not computers, but other systems for sure. It’s about seeing the system for what it is and then doing something else with it. You’re looking for little places that you can stick things in, little gaps… Within the Poly whitepaper, I didn’t see any exact gaps, but I was looking for them and thinking about them–when I read about their write and read solutions, my hacker own internal flags were going off like crazy, I was getting distracted and had to re-read those sections 10x. It took me 3 hours to read through 10 pages of the white paper–and when I started writing this, I knew that I figured out where he did it.
Are the Poly transactions truly atomic? When we think about “atomic transactions” in database-like systems, that’s where the rubber meets the road. All “perfect” database transactions must pass the ACID test.
In computer science, ACID (atomicity, consistency, isolation, durability) is a set of properties of database transactions intended to guarantee data validity despite errors, power failures, and other mishaps. In the context of databases, a sequence of database operations that satisfies the ACID properties (which can be perceived as a single logical operation on the data) is called a transaction. For example, a transfer of funds from one bank account to another, even involving multiple changes such as debiting one account and crediting another, is a single transaction.https://en.wikipedia.org/wiki/ACID
It made me have to think of the nature of a transaction. I have money, I walk up to your counter, you have a product. I point at the product, and you go get it from the shelf and give it to me. I’m satisfied with it, so I give you my money. Transaction done. The moment the money left my hand and went into yours, we had a deal. Not a second sooner, and once you had it in your hand… it now is yours. That happened. That happened at a specific time and can’t be changed.
Now let’s think about a transaction on a blockchain.
I decide I want to buy some SHIB with DOGE coin, those are different “markets”, so I need to use a middle-man. I use Poly Network to be the middle-man. I give my DOGE to the Poly Network–this is two transactions though.
- 1. it locks the DOGE coin into an escrow account wallet and
- 2. it stores a transaction on the Poly Network.
Next, the Poly Network writes a transaction to the SHIB (destination) token chain after it’s verified that the DOGE is properly escrowed. This results in the SHIB network crediting the amount of SHIB I bought to a SHIB wallet that I’ve previously created.
So, after all of this, you should be asking… WTF. Of course, this is where it happened right? There isn’t any other place for this to happen. What are you trying to say?
What I’m saying is this–he’s a hacker. And, while he might be trying not to get caught or whatever, he’s still a dude that has a lot of money now–and we can’t trust him.
I believe that when he set up his system, he was looking at all the different tokens that could be transacted and was trying different ones. Ones that don’t exist maybe–or even a token that he created himself right there on the fly and then tried to use the Poly Network to accept the transaction. That sounds right to me, in regards to having an “ah-ha” moment, he didn’t have any deep thought, he just found a token that he could create or swap into the real-world system that could extract 600 million.
#3 “I WAS PLANNING ON LAUNCHING A COOL…”
This I believe is mostly BS, he wasn’t going to attack them all because he couldn’t. What I think it means is that he tried to do the exploit with a bunch of the big cryptocurrencies but it didn’t work. The “RELAYER” is the Poly Network in this example–he goes into some other techno-babble jargon–“THE RELAYER DOES BEHAVE LIKE THE OTHERS…” He’s saying he tried it but without luck. I believe he’s just adding this tidbit to convince other hackers and people that he knows what he’s doing. If it worked on BTC, we’d be having a whole different discussion here–and crypto would be on fire. He would have if he could have is my thought.
#4 “I SHOULD HAVE STOPPED AT THAT MOMENT…”
Nope. He wants us to think he is a decent person. He is telling us he has a conscious and maybe he does, that’s not for me to judge. But, this whole idea of him giving back money is very interesting. Earning half a billion probably took at least a few minutes to figure out and to roll back. I think once he had his hand in the cookie jar, he was like… “people are going to find out about this.”
#5 “HOWEVER, I DIDN’T WANT TO CAUSE _REAL_ PANIC OF THE CRYTO WORLD”
This last statement that he put out there is the one that really has me thinking. Where is this guy from? Who would say, “of the crypto world” instead of “in the crypto world” or some other way. I also believe him here that he didn’t want to tank shitcoins since shitcoins are hot right now… super hot. I’m not sure why but this last paragraph just has me thinking. It’s definitely struck a chord in my mind and I’m going to have to think long and hard to understand exactly what he wanted to say or do with this last part. It’s fascinating to me though.
In the end, we will see what happens. This is happening in real-time. Good luck friends! I’m looking forward to hearing what you have to say about these thoughts. I’ll post more on this later.