Analysis of the Hacker Attack Incident on Poly Network

Recently, the cross-chain interoperability protocol Poly Network was attacked by a Hacker, drawing widespread attention in the industry. A team of security experts conducted an in-depth analysis of the incident and concluded that the attackers did not implement the attack through private key leakage, but instead exploited a contract vulnerability to modify critical parameters.

Attack Core

The attacker successfully modified the keeper address of the EthCrossChainData contract by passing carefully crafted data to the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract. This operation granted the attacker the permission to withdraw funds from the contract.

Attack Details

1. The key to the attack lies in the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract, which can execute specific cross-chain transactions through the _executeCrossChainTx function.

2. The owner of the EthCrossChainData contract is the EthCrossChainManager contract, so the latter can call the putCurEpochConPubKeyBytes function of the former to modify the keeper.

3. The attacker used the verifyHeaderAndExecuteTx function, passing in specially crafted data, which caused the _executeCrossChainTx function to perform an operation that modified the keeper address.

4. After successfully replacing the keeper address, the attacker can construct transactions to extract any amount of funds from the contract.

Attack Process

1. The attacker first called the putCurEpochConPubKeyBytes function through the verifyHeaderAndExecuteTx function of the EthCrossChainManager contract, changing the keeper.

2. Subsequently, the attacker utilized the new keeper permissions to execute multiple fund withdrawal operations.

3. After the attack is completed, the normal transactions of other users are rejected due to the modification of the keeper.

4. Similar attack patterns have also been replicated on the Ethereum network.

Conclusion

The core of this attack lies in the fact that the keeper of the EthCrossChainData contract can be modified by the EthCrossChainManager contract, and the verifyHeaderAndExecuteTx function of the latter can execute data provided by users. The attacker exploited this mechanism by constructing specific data to successfully modify the keeper address, thereby gaining control over the funds in the contract.

This event highlights once again the importance of security audits for smart contracts, especially in complex scenarios such as cross-chain operations, where a comprehensive and rigorous examination of contract logic is needed to prevent potential security risks.