However for the lazy ones out there :

• The contract had a function , which when passed with a specific value, could transfer its control to virtually any address.
• The attacker uses bruteforce to find this value, and uses it to transfer control to his address.
• Once the control is transfered, the liquidity is under his mercy. Now thats millions of dollars locked , I wouldn't hesitate an instant to withdraw all of it
• There was no leakage of secret key involved (good thing), making this purely a smart contract exploit, due to faulty privilege management in these contracts

The exploit is clearly explained in the articles below

Links to articles

• Kudelski Security
• SlowMist Medium post

As you can see from the previous table, the attacker didn't make any attempt to transfer out the funds in the Polygon chain, unlike Ethereum chain. This could be because @SlowMist_Team announcing information regarding the hacker. Or it could be the untainted intentions of the hacker :-P

Aug-11-2021

0x74403d359c6eb79acbfe24ddbbab60cccdf4cc8db64709576ed972f707ce52eb

0x444561661539983b434f064dbaf1f0ef160def0baf201e61946384f111109910

0x7033942dde965ad6ee5acbd16e068df8c6187d7c0782055f870994a95cb058c4

0xc32f8501c62a69218b4cdaae93cffcf7b214f331942af9ecca7c35be49e796b6

Returns most of the stolen funds to the 0xa4b291ed1220310d3120f515b5b7accaecd66f17 the PolyNetwork Multisig contract. The first two transfer events are the transactions that involved the stealing of funds

Aug-10-2021 10:29:21 AM +UTC

0xfbe66beaadf82cc51a8739f387415da1f638d0654a28a1532c6333feb2857790

Drains further 108.694578 USDC from the pool

Aug-10-2021 10:04:22 AM +UTC

0x1d260d040f67eb2f3e474418bf85cc50b70101ca2473109fa1bf1e54525a3e01

With the access to liquidity he immediately drains a total of 85,089,610.911661 USDC from the pool 0x28FF66a1B95d7CAcf8eDED2e658f768F44841212

Aug-09-2021 11:22:29 AM +UTC

0x87cf038e680e8a69b81272fe5bb11557dbcee1fbb8edcda7ec4f2b595e5e4dd0

The Exploiter brings in funds to the base address (address where the exploit is initiated from)

Timeline

Aug-10-2021 10:04:14 AM +UTC

0x8c8b43012773b8948cfb0c66f69bfa7513817e35052ace91e2ed7eb9e8cacb95

A day later, he uses the verifyHeaderAndExecuteTx to bruteforce the transfer of keeper permission to his base address, which allows him to access all the liquidity locked in the contract

On the polygon sidechain the contract_address exploited is 0xabd7f7b89c5fd5d0aef06165f8173b1b83d7d5c9.
The exploiter's address is 0x5dc3603C9D42Ff184153a8a9094a73d461663214

On August 10th, Poly Network reported that an undisclosed attacker hacked a smart contract of the network, transferring the equivalent of roughly 610 million USD (mainly in Ether, Binance Coin and USDC) and moving them to external wallet addresses.