Poly Network (2nd incident): Compromised 3-of-4 multisig → forged deposit proofs → cross-chain withdrawal drain
Poly Network's second exploit lost $4.4M when three of its four multisig keys were compromised, allowing forged withdrawal proofs — a simpler attack than its $600M first hack but an equally avoidable one.
Summary #
Poly Network (2nd incident) suffered a Cross-Chain Bridge on 2023-07-01, resulting in a loss of approximately $4M.
What happened #
Poly Network's second exploit lost $4.4M when three of its four multisig keys were compromised, allowing forged withdrawal proofs — a simpler attack than its $600M first hack but an equally avoidable one.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action (Y/N): Y — multisig validation was the attack vector itself]
- RD-F-028 — causal : ★ Low-threshold multisig vs TVL [via cross-hack: Factor 23: Minimum-Threshold Multisig With Hot Wallet Signers] || ★ Low-threshold multisig vs TVL [via cross-hack: Factor 28: Insufficient Multisig Signing Threshold for TVL at Risk]
- RD-F-030 — causal : Hot-wallet signer flag on multisig [via cross-hack: Factor 23: Minimum-Threshold Multisig With Hot Wallet Signers]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — multisig validation was the attack vector itself]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]