📈 Get daily crypto insights that make you smarter about your money

Poly Network Cross-Chain Bridge Compromised: How Forged Relays Minted Billions in Fake Tokens

By /
LinkedInMessengerRedditTelegramThreadsWhatsApp

The decentralized finance ecosystem faced another severe security incident as Poly Network, a cross-chain interoperability protocol, fell victim to a sophisticated exploit that allowed attackers to mint billions of dollars worth of fraudulent tokens across multiple blockchains. The attack, which surfaced over the weekend of July 1, 2023, exposed critical vulnerabilities in the way cross-chain bridges verify and relay transaction data between networks.

The Exploit Mechanics

The attacker exploited a vulnerability in Poly Network’s cross-chain messaging mechanism, specifically targeting the protocol’s relay chain verification process. By manipulating the way the bridge validated cross-chain transactions, the attacker was able to forge transaction proofs that made it appear as though legitimate token transfers were occurring. In reality, the attacker was minting new tokens out of thin air on destination chains without corresponding locks on the source chain.

Blockchain security firm PeckShield estimated that approximately $42 billion worth of cryptocurrency tokens were minted during the attack, while another firm, Dedaub, placed the figure at around $34 billion. However, the actual extractable value was far lower due to limited liquidity on decentralized exchanges. Security firm Beosin reported that approximately 5,196 ETH, worth roughly $10 million at the time, was actually stolen and could be liquidated by the attacker.

The discrepancy between the minted face value and realizable losses highlights a common pattern in cross-chain bridge exploits: attackers can create enormous notional values, but converting them to spendable assets depends entirely on available market liquidity.

Affected Systems

The attack impacted 57 distinct crypto assets across 10 different blockchains, including Ethereum, Binance’s BNB Chain, Metis, and Polygon. Poly Network confirmed the scope in a public statement, sharing a detailed spreadsheet listing all affected assets and their corresponding blockchain networks. The wide reach of the attack underscores how a single vulnerability in a cross-chain protocol can cascade across an entire multi-chain ecosystem.

Several other DeFi platforms with integration ties to Poly Network were forced to take emergency action. Multiple projects announced emergency liquidity withdrawals from decentralized exchanges to prevent further exploitation. Binance CEO Changpeng Zhao publicly stated that the incident did not affect Binance users directly, as the exchange did not support deposits from the compromised network.

The Mitigation Strategy

Poly Network responded by immediately suspending all services and initiating communication with centralized exchanges and law enforcement agencies. The team urged all projects holding affected assets to promptly withdraw liquidity from decentralized exchanges and advised individual users to expedite the process of withdrawing liquidity and unlocking their LP tokens.

Security firms including PeckShield, Beosin, and MetaSleuth collaborated to trace the stolen funds in real time. Their analysis revealed that the attacker held approximately 2,266 ETH (around $4.3 million at the time) with additional crypto assets that needed valuation based on liquidity and price volatility. Approximately $260 million worth of BNB was also taken but was unlikely to be cashed out due to low liquidity on affected platforms.

Lessons Learned

This incident bears a striking resemblance to Poly Network’s first major exploit in August 2021, when over $610 million was stolen in what was then the largest DeFi hack in history. That the same protocol suffered a second catastrophic breach raises serious questions about the adequacy of security audits and the pace of vulnerability remediation in cross-chain infrastructure. Key takeaways include:

  • Cross-chain bridges remain the weakest link in DeFi security. Their complexity — managing state across multiple independent blockchains — creates attack surfaces that single-chain protocols do not face.
  • Minting-based exploits can create panic far exceeding actual losses. Users and investors should distinguish between notional minted values and realizable theft when evaluating the severity of bridge hacks.
  • Repeated breaches erode trust permanently. Protocols that suffer multiple major incidents face an uphill battle to maintain user confidence and institutional partnerships.
  • Rapid incident response coordination between security firms, exchanges, and affected projects is critical to minimizing real losses during active exploits.

User Action Required

If you held assets on Poly Network or any integrated platform during the July 1 attack window, take the following steps immediately. First, check the official Poly Network spreadsheet listing all 57 affected assets to determine whether your holdings are at risk. Second, revoke any outstanding token approvals connected to Poly Network contracts using tools like Revoke.cash or Etherscan’s token approval checker. Third, move remaining assets to a fresh wallet address as a precaution against any undiscovered backdoors or secondary exploits. Finally, monitor official Poly Network channels for updates on fund recovery efforts and any proposed compensation plans. Bitcoin was trading at approximately $30,590 and Ethereum at $1,924 at the time of the incident, providing context for the real-dollar value of stolen assets.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.

🌱 FOR BUSINESSES BitcoinsNews.com
Reach 100K+ Crypto Readers
Sponsored content, press releases, banner ads, and newsletter placements. Put your brand in front of Bitcoin's most engaged audience.

7 thoughts on “Poly Network Cross-Chain Bridge Compromised: How Forged Relays Minted Billions in Fake Tokens”

  1. Mira T.

    forged relay proofs enabling unlimited minting. every bridge that relies on a trusted relayer set has this exact same vulnerability

    Reply
  2. trashpanda42

    PeckShield putting the minted total at $42B and Dedaub at $34B. when the numbers are that far apart you know the situation is messy

    Reply
    1. relay_check

      42B vs 34B is a 20% difference. when security firms cant even agree on the damage amount you know the monitoring tools need work

      Reply
      1. Tamara Osei

        relay_check 20% variance between security firms is embarrassing. we need standardized bridge monitoring not competing estimates

        Reply
    2. nosleep_99

      the discrepancy is because different firms count different token pools across different chains. the real number is somewhere in between but either way its massive

      Reply
  3. Priya S.

    the attacker minting tokens without corresponding locks on the source chain is the oldest bridge attack in the book. how does this still happen in 2023

    Reply
    1. mint_watch

      Priya S. because bridge developers keep reinventing the wheel instead of usingbattle-tested verification layers. every new bridge thinks they solved it

      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

BTC$65,407.00-0.6%ETH$1,765.10-0.8%SOL$73.28-0.1%BNB$603.75-0.3%XRP$1.21-0.6%ADA$0.1692-2.9%DOGE$0.0867-0.4%DOT$1.02+2.0%AVAX$6.89+1.6%LINK$8.23+0.5%UNI$3.30+8.3%ATOM$1.99+0.2%LTC$45.46+1.3%ARB$0.0871+3.0%NEAR$2.35+1.0%FIL$0.8181+4.5%SUI$0.7964+1.6%BTC$65,407.00-0.6%ETH$1,765.10-0.8%SOL$73.28-0.1%BNB$603.75-0.3%XRP$1.21-0.6%ADA$0.1692-2.9%DOGE$0.0867-0.4%DOT$1.02+2.0%AVAX$6.89+1.6%LINK$8.23+0.5%UNI$3.30+8.3%ATOM$1.99+0.2%LTC$45.46+1.3%ARB$0.0871+3.0%NEAR$2.35+1.0%FIL$0.8181+4.5%SUI$0.7964+1.6%
Scroll to Top