Poly Network operates on the Binance Smart Chain, Ethereum and Polygon blockchains. Tokens are swapped between the blockchains using a smart contract which contains instructions on when to release the assets to the counterparties.
One of the smart contracts that Poly Network uses to transfer tokens between blockchains maintains large amounts of liquidity to allow users to efficiently swap tokens, according to crypto intelligence firm CipherTrace.
Poly Network tweeted on Tuesday that a preliminary investigation found the hackers exploited a vulnerability in this smart contract.
According to an analysis of the transactions tweeted by Kelvin Fichter, an Ethereum programmer, the hackers appeared to override the contract instructions for each of the three blockchains and diverted the funds to three wallet addresses, digital locations for storing tokens. These were later traced and published by Poly Network.
The attackers stole funds in more than 12 different cryptocurrencies, including ether and a type of bitcoin, according to blockchain forensics company Chainalysis.
A person claiming to have perpetrated the hack said they had spotted a "bug," without specifying, and that they wanted to "expose the vulnerability" before others could exploit it, according to digital messages posted on the Ethereum network published by Chainalysis. Reuters could not verify the authenticity of the messages.