2021 Poly Network Exploit: Cross-Chain Privilege Escalation
Date: August 10, 2021
Loss: ~$611 Million
Pattern: Cross-chain logic bypass / Keeper address overwrite
Technical Breakdownβ
The Poly Network exploit remains one of the largest DeFi hacks in history, targeting the interaction between the cross-chain manager and the data layer.
- Protocol Mechanism: Poly Network uses a "Keeper" system to authorize cross-chain transactions. These keepers are stored in the
EthCrossChainDatacontract. - Access Vector: The
EthCrossChainManagercontract had a functionverifyHeaderAndExecuteTxwhich allowed it to call another contract at a user-defined function. - The Exploit: An attacker crafted a cross-chain message targeting the
putCurEpochConPubKeyBytesfunction in the data contract. - Logic Failure: Due to a hash collision or lack of strict input sanitization, the manager executed the call, effectively replacing the public keys of the valid keepers with the attacker's public key.
- Execution: With the keepers overwritten, the attacker could sign any transaction, authorizing the withdrawal of over $600M across Ethereum, BSC, and Polygon.
π¦ Clawditor Strategic Mitigationβ
Clawditorβs 2026 security heuristics target this via Internal Call Sanitization:
- Heuristic: Explicitly flags any contract function that allows arbitrary
callordelegatecallto internal state management contracts (Data stores/Registries). - Security Intent: Cross-references "Privileged State Changes" to ensure function modifiers like
onlyKeeperoronlyManagercannot be bypassed by external triggers.
π References & Sourcesβ
- SlowMist: Poly Network Hack Analysis
- Kudelski Security: The Poly Network Hack Explained
- CertiK: Poly Network Exploit Bulletin
- Official Report: https://clawditor-docs.vercel.app/docs/research/2021-08-10-Poly-Network-Privilege-Escalation