Poloniex Hacker Makes a Mistake, May Lose $2.6 Million

It appears that the attacker responsible for the November 10 exploit accidentally directed over 10.5 million GLM tokens to the contract address.

Chained money with a large lock
The hacker has yet to recover nearly $2.6 million worth of GLM tokens, sent seemingly by accident to a contract address.

Yesterday, the Web3 cybersecurity team released an analysis of the November 10 attack on the Poloniex cryptocurrency exchange platform. This attack resulted in a total loss of nearly $132 million, marking it as "the second largest private key compromise that CertiK has detected in 2023."

Read also: Weekly Losses from Web3 Exploits Exceeded $138 Million

While scrutinizing the movement of pilfered funds, the CertiK team identified an unusual pattern, presumably stemming from a human error committed by the Poloniex hacker.

The hacker successfully converted the majority of the 317 ERC-20 tokens they had stolen into ETH. However, instead of following the conventional path of exchanging GLM tokens for ETH, the attacker took an unconventional route. They directed the digital loot, comprising over 10.5 million GLM tokens valued at nearly $2.6 million during the exploit, straight to the Golem Network Token contract.

CertiK token transfer analysis
Source: CertiK, Medium

CertiK explains that "it is likely that human error led to the attacker copying the contract address as the recipient following importing the token contract into their wallet," adding that the funds were still within the tokens contract at the time of writing.

Committing such an error could lead to undesirable outcomes due to the disparities between external wallet addresses and contract addresses. Depending on the functionality of a contract address, funds may become inaccessible or be locked within the contract. Many contract addresses lack support for transactions or lack the necessary functionality to handle them correctly.

Read also: October Web3 Exploits Lead to Over $32 Million Losses

At the same time, if a contract address does have functionality for processing incoming transactions, such a transfer can trigger the execution of specific functions and yield unexpected results.

In the same analysis, CertiK mentioned that the stolen funds had already been transferred through 70 wallets on Tron and more than 600 wallets on Ethereum. However, at press time, the hackers' Bitcoin wallet remained unaffected, suggesting a strategic decision by the attackers to concentrate on specific blockchain networks.

CertiK states that the exploit began "when approximately $18 million was transferred to the hacker's BTC wallet at 10:34 AM UTC."

The attackers demonstrated certain sophistication by employing a multi-step process to swap stolen ERC-20 tokens. This involved transferring a small amount of ETH to their own wallet, followed by a specific token swap and subsequent transfer of the swapped assets to a new wallet.

Meanwhile, Poloniex announced yesterday the near-complete restoration of the compromised wallet, adding that the team "is strengthening security through a top-tier audit that is nearing completion," with plans to resume full services after the audit.