The world of decentralized finance (DeFi) has been growing rapidly in recent months, with new projects and platforms popping up every week. One of the latest entrants to the space is Polygon, formerly known as Matic Network. Polygon is an Ethereum-based scaling solution that aims to make transaction processing faster and cheaper.
However, Polygon’s DeFi platform was recently exploited to the tune of $2 million, an incident that has raised concerns about the security of DeFi platforms in general. In this article, we’ll take a closer look at what happened and how it happened.
The Exploit
On June 28, 2021, a hacker managed to exploit a vulnerability in the smart contract of a Polygon-based DeFi platform called PolyNetwork. The hacker was able to withdraw over $600,000 worth of Ethereum and other cryptocurrencies, including MATIC, the native token of Polygon. The hacker then returned the funds, claiming that the attack was a “white hat” operation to expose vulnerabilities in the platform’s security.
However, the PolyNetwork team was not convinced and launched an investigation into the incident. They found that the hacker had exploited a vulnerability in the smart contract of the platform’s liquidity pool, allowing them to mint new tokens and withdraw funds from the pool.
PolyNetwork was not the only DeFi platform to be affected by the exploit. The hacker also targeted QuickSwap, another Polygon-based platform, and managed to steal over $1 million worth of cryptocurrency from its users.
How it Happened
The exploit was made possible by a flaw in the smart contract code of PolyNetwork’s liquidity pool. The pool allowed users to deposit their assets and earn rewards in the form of liquidity provider (LP) tokens. These LP tokens could then be used to withdraw funds from the pool.
The hacker was able to take advantage of a vulnerability in the code that allowed them to mint their own LP tokens. They then used these tokens to withdraw funds from the pool, which they were able to sell for Ethereum and other cryptocurrencies.
The PolyNetwork team has since patched the vulnerability and launched an investigation into how the exploit was able to occur. They have also offered a bounty of $500,000 to anyone who can provide information about the identity of the hacker.
Lessons Learned
The exploit has highlighted the need for DeFi platforms to prioritize security and audit their smart contracts thoroughly. DeFi platforms are built on smart contracts, which are self-executing agreements that run on the blockchain. Smart contracts are supposed to be “code is law,” meaning that they are immutable and cannot be changed once deployed.
However, this also means that any vulnerabilities or flaws in the code can be exploited by malicious actors. As DeFi platforms become more sophisticated and handle larger amounts of cryptocurrency, the stakes get higher and the potential for attacks increases.
DeFi platforms need to undergo regular security audits and testing to ensure that their smart contracts are watertight. They also need to have contingency plans in place in case of an exploit or attack, such as insurance or emergency funds to compensate affected users.
Another lesson from the exploit is the importance of decentralized governance. DeFi platforms are supposed to be decentralized, meaning that they are not controlled by any central authority or institution. However, the PolyNetwork incident revealed that the platform’s governance was still centralized, with the team in control of the smart contract code and other important decisions.
Decentralized governance models, such as DAOs (decentralized autonomous organizations), allow stakeholders to vote on important decisions and control the platform. This can help reduce the risk of a single point of failure and increase transparency and accountability.
Conclusion
The recent exploit of Polygon’s DeFi platform has raised concerns about the security of DeFi platforms in general. DeFi platforms need to prioritize security and audit their smart contracts thoroughly to prevent exploits and attacks. They also need to have contingency plans in place in case of an incident.
Decentralized governance is also important for reducing the risk of a single point of failure and increasing transparency and accountability. While the exploit was a setback for Polygon and the DeFi space as a whole, it is a reminder that the industry is still in its early stages and has a long way to go in terms of maturity and security.
Decentralized finance (DeFi) platform 0VIX, which operates on Polygon’s PoS and zkEVM networks, has been targeted by a flash loan attack. The hackers managed to manipulate the price of an asset that was a cornerstone element of 0VIX’s lending module, and made approximately $2 million in crypto equivalent as a result of the attack. The team behind 0VIX has addressed the hacker with a message, but they remain silent.
According to a statement shared by the 0VIX team, the attack became possible due to a flaw in the platform’s oracles mechanism. In order to start the manipulation, the attacker deposited $24.5 million in USD Coins (USDC) as collateral and borrowed $5.4 million in U.S. Dollar Tether (USDT) and 720,000 USDC.
The attackers then proceeded with a series of leveraged borrowings of vGHST, a 0VIX token based on Aavegotchi’s GHST asset. As a low-liquid coin, vGHST saw its price rocket, and the vulnerable VGHSTOracle failed to mitigate the manipulation.
As a result, the borrowing position of the hacker was liquidated and the collateral returned to their pocket. This type of attack is a common one for DeFi platforms, with similar oracles manipulations having occurred on Ethereum, Solana, and BNB Chain in 2022.
The team of 0VIX reacted to the attack by pausing all operations on Polygon’s PoS and zkEVM networks, but the latter was not affected by the attack. The protocol sent a message to the attacker urging them to return the stolen money, but the hackers do not seem interested in paying the debt. As such, the victims will likely be sharing information about the hack with law enforcement bodies to find the owners of wallets involved in the attack.
In addition to the financial loss, the attack highlights the importance of adequate security measures and the need for constant improvements to reduce the risk of such incidents. DeFi platforms must be able to detect and prevent similar attacks to protect their users, and platforms must constantly evaluate their security protocols to ensure they are up to date and effective.
Overall, the 0VIX flash loan attack serves as a cautionary tale for DeFi platforms and the wider cryptocurrency industry. It highlights the ever-present risks of hacking and the need for robust security measures to protect against these threats. Ultimately, only time will tell how this incident will impact the future of DeFi on Polygon’s PoS and zkEVM networks, but it is clear that continued vigilance and constant improvements are necessary to keep these platforms secure.
