While Poly Network may have escaped some of the worst of the damage from its recent security breach, there are questions it still must answer, AnChain.AI founder and CEO Dr. Victor Fang said recently.
Fang said it appears the hack was caused by the exploitation of a vulnerability in a smart contract. That is significant, given Poly Network’s insistence their smart contracts were audited and approved by two different firms.
“As with many projects in the space, there is a lack of transparency in the smart contract,” Fang explained. “We were able to examine the smart contract source code in their Github, however, there is no guarantee that their actual bytecode deployment on the blockchain is identical. “
“We see problems like these arise due to a lack of regulatory oversight and transparency surrounding smart contract code integrity, which leaves investors, customers, and other market participants completely unprotected and vulnerable.”
Fang said messages the attackers sent via transactions to themselves suggest they are positioning themselves as white hat hackers with good intentions.
“They have hosted a miniature Q&A within self transactions that can be found via Etherscan.io, within which they have stated the intention to return all of the money over time, but slowly in order to force the Poly team to communicate with them,” Fang said.
Even if they have the best of intentions, the hackers’ strategy was shortsighted, Fang believes.
“Regardless of their intentions, we’re of the belief that this sort of publicity stunt hurts the perception of the virtual asset economy in the eyes of the public.” Fang said. “No everyday customer or investor is comfortable with their money being held hostage by vigilantism, no matter how well-intentioned.”
Perhaps there was another less altruistic reason for the about-face.
“Despite their stated reasoning, it’s worth asking why the hacker decided to return the funding. Was it out of good will from the beginning, or did they perhaps feel that laundering the crypto via mixers before liquidating at an AML compliant VASP/exchange was simply too risky to attempt? It may be that, taking that into account, the publicity was worth more than any realistic profit.”
AnChain.AI offers AI-powered intelligence which offers blockchain security, risk and compliance services