Shanghai Man: Hack of little-known Poly Network highlights East-West crypto divide
This weekly roundup of news from Mainland China, Taiwan, and Hong Kong attempts to curate the industrys most important news, including influential projects, changes in the regulatory landscape, and enterprise blockchain integrations.
After ThorCHAIN and Chainswap were exploited, its safe to say that hacking cross-chain bridges seems to be the style of the season. This week, it was local project Poly Network that was fleeced of $615 million before leading the crypto community on a dramatic witch hunt to track down the attacker. While most news outlets have covered this story extensively, there are still a few points worth dissecting.
Who are these projects?
The first point is that most western DeFi users had never heard of Poly Network despite them amassing over $600 million in total value locked. Dovey Wan of Primitive Capital covered this on Twitter when she noted that the, Chinese crypto community always have their own version to utilize the same blockchain infra, for good and for bad, most are unseen and lack of accessibility to westerners.
Only after Poly got hacked most CT came to know this crosschain project with over $500m TVL, just as the PlusToken case in 2018
There are a VERY vibrant but completely different Defi communities happening in mainland China, despite the ban, despite many rugs and hacks
— Dovey Rug The Fiat Wan (@DoveyWan) August 11, 2021
So why are Chinese projects flying so far under the radar? The first reason might be a cultural and language barrier as Chinese marketing teams struggle to integrate into the fast-moving and esoteric world of Crypto Twitter.
Instead of trying to win over global communities, they focus on integrations that can bring users over directly.
According to SimilarWeb, Poly Network attracted over 58% of its web traffic from third-party website referrals, with Chinese DApps OpenOcean, O3 Swap, and Wing Finance at the top of the list. By contrast, Compound Finance receives more than half of its visits from direct hits, with only 16% coming via third-party websites.
Compounds two main websites for referrals are CoinMarketCap and CoinGecko. This shows that the difference in how Chinese and international users behave is quite tangible and that to capture both audiences requires two very distinct strategies.
Untangling the web
Another more taboo talking point is that many of these large Chinese DeFi projects have ties to other projects. Poly Network has ties to the O3 network, which itself is incubated by Neo. The extent to which Neo is involved is indistinct but it explains why its rare to see Poly Network founders marketing in public. These founders are often just figureheads for the parent company. The parent company gets all the benefits of launching a second token without taking the reputational or legal risk of being tied to it. If the side project succeeds, it can support the main network. If it fails, everyone moves on with their lives and pretends it never happened.
Its a big PR problem for O3Swap now that many of their users assets were compromised in the attack. This isnt the first time that the team has had to deal with negativity, as they were accused of having a backdoor function written into their code that would allow them to rug pull. Although this has never been exploited, it does raise eyebrows about the intentions of the developers.
After the hack, a lot of negativity flooded local social media, with comments calling into question the integrity of Chinese-made projects. One user on Weibo stated that you could beat him to death before he touched a Chinese project while another user just called it an inside job.
The bigger issue here is that prior to DeFi, substandard projects would never get off the ground, leading to a slow and painful soft decline in value for token holders. In this model, investors might still get the chance to recover some of their funds by selling on secondary markets.
In the new model of DeFi forks, code can be deployed and amass hundreds of millions of dollars in TVL very rapidly and without adequate risk controls. Audits can be superficial, and staggeringly high yields can seduce retail investors into providing liquidity. If the code is compromised, all the assets are lost, resulting in a much more swift and comprehensive loss for investors.
Looking for silver linings
The major positive in all this was the quick and united response of the Chinese blockchain community. Smart contract auditor Slowmist worked quickly with exchanges to limit the options of the attacker to liquidate funds. The company blog notes:
Special thanks to the teams such as Hoo, Poly Network, Huobi ZLabs, ChainNews, WePiggy, TokenPocket, Bibox, OkLink and many individual partners for synchronizing relevant attacker information with the SlowMist security team on time under the premise of compliance, and buying valuable time for tracking attacker.
Huobis co-founder Du June choed this on social media as well, stating that they would do everything in their power to protect the crypto community. This will be a welcome sign to Chinese DeFi users who want to see trust being rebuilt among the local players.
Huobi has taken notice of the large sum stolen from the #PolyNetwork tonight. Our risk control and security teams are already tracking and identifying the addresses involved. We'll do everything in our power to assist and protect the crypto community. #StrongerTogether
— Du Jun (@DujunX) August 10, 2021