Poly Network Suffers Second Major Breach as Hackers Mint Billions in Fraudulent Tokens

Poly Network, the cross-chain decentralized finance (DeFi) protocol, has suffered yet another major security breach — this time seeing hackers exploit its infrastructure to mint billions of dollars worth of fraudulent tokens across multiple blockchains. The attack, which began on July 2, 2023, has reignited serious concerns about the security of cross-chain bridges and the vulnerabilities inherent in multi-chain architecture.

TL;DR

• Poly Network was exploited on July 2, 2023, with hackers minting $34-43 billion in notional token value
• 57 assets across 10+ blockchains were affected, including Ethereum, BNB Chain, Polygon, and Avalanche
• Actual stolen funds estimated between $5 million and $20 million in realizable value
• The hack exploited private key compromises rather than a smart contract vulnerability
• Poly Network suspended all services and urged users to withdraw liquidity immediately

How the Attack Unfolded

Early on July 2, Poly Network confirmed via its official channels that it was suspending services due to a “recent attack.” The breach was not your typical DeFi exploit. Instead of targeting a smart contract bug, the attackers gained access to the Poly Network’s private keys — specifically the consensus keys for the relay chain — allowing them to sign forged block headers and essentially mint unlimited tokens out of thin air.

According to blockchain security firm PeckShield, approximately $42 billion worth of cryptocurrency was minted during the attack, while Dedaub estimated the figure at $34 billion. However, these staggering numbers represent the notional face value of the tokens — the reality is far more modest. Because the hackers minted tokens on blockchains that lacked the liquidity to absorb such enormous volumes, the actual extractable value was dramatically lower.

The Real Damage

Multiple blockchain security firms scrambled to assess the true financial impact of the breach. Security firm Beosin reported that a total of 5,196 ETH was stolen, translating to approximately $10 million at current prices. PeckShield’s analysis was slightly more conservative, estimating that stolen crypto on Ethereum was worth about $20 million, including ETH and various other tokens.

“The exploiter has grabbed about 1,592.51 ETH ($3 million) from the Poly Network and has also swapped part of other cryptos for 674 ETH,” PeckShield reported. The firm noted that the exploiter held approximately 2,266.15 ETH ($4.3 million) at the time of their analysis, with the value of other stolen tokens subject to liquidity and price volatility constraints.

By the afternoon of July 2, Poly Network confirmed that 57 assets across 10 blockchains had been affected. The impacted networks included Ethereum, BNB Chain, Polygon, Avalanche, Metis, and OKx Chain, among others. The company published a detailed spreadsheet tracking the affected assets and urged all users holding those tokens to withdraw liquidity and unlock their LP tokens without delay.

A Troubled History

This is not Poly Network’s first rodeo with catastrophic security failures. In August 2021, the protocol suffered what was at the time the second-largest DeFi exploit in history, with hackers stealing approximately $600 million in digital assets. In that incident, the attacker ultimately returned the stolen funds after a public pressure campaign and negotiations — an outcome that seems increasingly unlikely given the sophisticated nature of this latest breach.

The repeat victimization raises uncomfortable questions about the protocol’s security infrastructure and whether cross-chain bridges — often described as the “weakest link” in the DeFi ecosystem — can ever be truly secure. The fundamental challenge is that bridging assets across different blockchains requires some form of centralized custody or multi-sig control, creating a persistent attack surface that no amount of smart contract auditing can fully eliminate.

Market Context

The attack occurred against a backdrop of relative stability in the broader crypto market. Bitcoin was trading at approximately $30,590 and Ethereum at $1,925 on July 1, with the total crypto market capitalization hovering around $1.19 trillion. The incident had limited immediate impact on major asset prices, though it underscored the persistent risks that DeFi protocols pose to the broader ecosystem.

Poly Network has stated it is working with centralized exchanges and law enforcement agencies to recover the stolen assets. The company publicly appealed to the attacker, expressing hope that they “will cooperate and return the user assets to avoid any potential legal consequences.”

Why This Matters

The Poly Network hack is a stark reminder that DeFi security remains one of the most pressing challenges in the cryptocurrency space. Despite billions of dollars invested in blockchain infrastructure, cross-chain bridges continue to be low-hanging fruit for sophisticated attackers. The fact that Poly Network — a protocol that already suffered a $600 million exploit — could be breached again through compromised private keys suggests that fundamental security practices are still not being prioritized. For users, the lesson is clear: cross-chain bridges carry outsized risk, and assets held on these platforms should be treated with extreme caution. For the industry, it’s another black eye that fuels regulatory skepticism and erodes institutional confidence.

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always do your own research before making any investment decisions.