Chatter about the largest attack in decentralized finance (DeFi) history has only elevated, after the attacker returned at least $342 million worth of drained funds back to the cross-chain DeFi platform Poly Network.
Now the crypto community is raising moral questions about how involved centralized players such as Binance and Circle should be when it comes to limiting monetary damage in the realm of DeFi exploits.
Others are asking whether attackers like the one in Poly Network’s case should be pardoned or even praised as they slowly return funds back to the protocols they preyed upon.
At press time, more than $342 million worth of tokens – including USDC, BUSD, SHIB and FEI – have been returned to Poly through Binance Smart Chain, Ethereum and Polygon, blockchain data shows. The attacker started returning funds at approximately 08:47 UTC on Wednesday and the latest return came at 19:06 UTC on the same day with roughly $84 million worth of USDC sent back to Poly on Polygon.
Centralization vs. decentralization
Despite the fanfare surrounding the Poly attack, some market observers said it showcased the advantage of having at least some degree of centralization in DeFi.
As Tether CTO Paolo Ardoino quickly responded on Twitter that the stablecoin issuer froze approximately $33 million related to the Poly exploit, many questioned the inaction from Binance Smart Chain (BSC), which is powered by centralized exchange Binance, and Circle, the company behind dollar-pegged stablecoin USDC.
A BSC spokesperson told CoinDesk that BSC is a “decentralized ecosystem where anyone and everyone can build on,” hinting that BSC cannot do much to roll back DeFi exploits on top of it.
Binance CEO Changpeng Zhao was more philosophical: “Unpopular opinion: nothing is risk free,” he said in a Twitter thread Tuesday, adding:
“While we can’t freeze funds on blockchains, if those funds land on our CEX [centralized exchange], we will (try to) freeze them. So, we have a lot of blockchain analysis to do. Nothing is easy. We try.”
The response from Zhao and BSC came in the context of Binance retaining a significant degree of control over BSC. BSC’s security algorithm, known as Proof of Staked Authority (PoSA), is controlled by 21 node operators, which are elected by Binance Coin (BNB) holders. Binance is one of the largest holders of the BNB tokens, so it still has significant sway over BSC, making the network more centralized than competing blockchains.
Lianfeng Zhang, partner at chief security officer at blockchain security firm SlowMist, told CoinDesk that while BSC has fewer validators, a decision like freezing funds still needs to be voted on by the BSC community and the process can be “troubling and slow.”
Zhang also said that compared with Tether, USDC requires more compliance with little flexibility. Therefore, when an attack like the one on Poly happens, it is nearly impossible for Circle to act as fast as Tether did.
Circle did not respond to CoinDesk’s requests for comment.
Paxos, the company behind BUSD, another dollar-pegged stablecoin that’s part of the stolen funds, told CoinDesk that they are “not doing anything” with blacklisting the funds.
As the attackers started returning the drained funds, it appears they also had time to conduct a Q&A on the Ethereum blockchain.
The attacker allegedly wrote in one message embedded on a transaction on Ethereum that after spotting the bug on Poly, they ended up attacking Poly because they “can trust nobody.”
“I take the responsibility to expose the vulnerability before any insiders [are] hiding and exploiting it,” the message continued.
With the attacker becoming more engaged with the crypto community and having returned at least part of the funds, some members of the crypto space praised them as so-called white-hat hackers, a type of computer expert who ensures the security of a protocol by identifying and attacking its vulnerabilities.
In the Q&A, the attacker claimed they thought about informing Poly’s team about the bug but were afraid of a potential “traitor” who could be lured by the amount of money that was up for grabs.
However, according to Ari Redbord, head of legal and government affairs at blockchain intelligence firm TRM Labs, it is still too early to make a conclusion about the attackers’ motives.
“If it turns out that these attackers did have benign ambitions and that they were testing the infrastructure or testing the defenses of a DeFi protocol, this was not the way to do it,” Redbord, who previously worked in the U.S. Department of the Treasury as a senior advisor on terrorism and financial intelligence, said.
“Essentially, what you have here is people who lost their belief … hundreds of millions of dollars and potentially life savings [were taken],” he added.
UPDATE (Aug. 11, 21:27 UTC): Adds comments from Paxos.