CoinClear

Poly Network

1.8/10

Cross-chain bridge infamous for the $611M hack (funds returned) and a second 2023 exploit — trust destroyed, minimal usage, a bridge security cautionary tale.

Updated: February 16, 2026AI Model: claude-4-opusVersion 1

Overview

Poly Network entered crypto history on August 10, 2021, when a hacker exploited a vulnerability in the bridge's cross-chain verification logic to steal approximately $611 million across Ethereum, BSC, and Polygon — making it the largest DeFi exploit at the time. What followed was one of crypto's most bizarre incidents: the hacker, after being contacted by the Poly Network team and facing potential identification through on-chain analysis, returned virtually all the funds over the following days, claiming the hack was intended to expose the vulnerability.

The "white hat" narrative was always contested. The hacker appeared to return funds primarily because the major stablecoins (USDT on Ethereum) were frozen by Tether, making a significant portion of the stolen funds unusable. Whatever the motivation, the episode demonstrated catastrophic security failures in Poly Network's bridge verification logic — specifically, the ability to forge cross-chain messages by manipulating the relay chain's keeper list.

Poly Network continued operating after the incident, but trust was severely damaged. Then in July 2023, Poly Network was exploited again — this time for approximately $4.4 million through compromised bridge keys, with the attacker minting billions of tokens across multiple chains. This second exploit confirmed that the fundamental security issues were not isolated to the first incident.

As of 2026, Poly Network operates with minimal TVL and negligible usage. The bridge is technically functional but effectively abandoned by users who have migrated to more secure alternatives.

Security

The $611 Million Hack (August 2021)

The root cause was a vulnerability in Poly Network's cross-chain message verification. The attacker exploited the EthCrossChainManager contract's ability to call arbitrary contracts, using this to modify the relay chain's keeper (validator) list. Once the attacker controlled the keepers, they could forge cross-chain messages authorizing transfers from the bridge's locked funds.

Specific failure points:

  • The EthCrossChainManager allowed calling any contract through the executeCrossChainTx function without proper access control.
  • This allowed the attacker to call the EthCrossChainData contract and replace the keeper public keys with their own.
  • With compromised keepers, the attacker could sign fraudulent cross-chain messages approving massive withdrawals.

The Second Exploit (July 2023)

Two years later, Poly Network was exploited again for approximately $4.4M. This time, the attacker compromised 3-of-4 multisig keys controlling the bridge, minting 24 billion BNB, 999 trillion SHIB, and other tokens across multiple chains. Most minted tokens had limited liquidity, constraining actual losses, but the exploit demonstrated ongoing critical security weaknesses.

Security Assessment

Two major exploits in two years — including one of the largest in DeFi history — demonstrate fundamental, persistent security failures. The code quality, review processes, and architectural design failed catastrophically not once but twice. This is among the worst security track records of any operational DeFi protocol.

Technology

Cross-Chain Architecture

Poly Network uses a relay chain model for cross-chain communication. Source chains lock assets and emit cross-chain messages, the relay chain validates and relays messages, and destination chains execute the corresponding actions (minting/unlocking). The architecture is standard for cross-chain bridges but was implemented with critical access control failures.

Supported Chains

At its peak, Poly Network supported 30+ blockchains including Ethereum, BSC, Polygon, Avalanche, Fantom, Solana, and many others. This broad chain support was a competitive advantage before the hacks. Post-exploits, many chain integrations have been deprecated or operate with effectively zero usage.

Technical Debt

The codebase accumulated significant technical debt through rapid multi-chain expansion without adequate security review. The first exploit revealed fundamental architectural flaws, and the second exploit suggests remediation was insufficient. Code quality is a critical concern.

Decentralization

Centralized Keepers

Poly Network's relay chain operated with a small set of keepers (validators) controlling cross-chain message validation. The 3-of-4 multisig compromised in the 2023 exploit demonstrates extreme centralization — four keys controlled the entire bridge's security. This is not decentralized infrastructure; it's a multisig with a blockchain wrapper.

Governance

Effective governance is minimal. The protocol is operated by a small team with centralized control over keepers and bridge operations. There is no meaningful community governance or decentralized decision-making.

Adoption

Post-Hack Collapse

After the first hack, TVL dropped dramatically as users withdrew funds. The second hack in 2023 effectively completed the exodus. Current TVL is negligible — likely in the single-digit millions or less. Any remaining funds in the bridge represent either forgotten positions or users unaware of the risks.

Historical Context

At its pre-hack peak, Poly Network was one of the more widely used cross-chain bridges, particularly for smaller chains that lacked integration with larger bridges. This broad chain support attracted initial adoption but couldn't survive the trust destruction of two major exploits.

Current Status

Poly Network operates as a zombie protocol — technically functional but with no meaningful user base. New cross-chain bridging has migrated to more secure alternatives (LayerZero, Axelar, deBridge, Across).

Tokenomics

No Native Token

Poly Network does not have a widely adopted native token. Various bridge-related tokens have minimal liquidity and utility. The lack of a meaningful token economy further limits the protocol's ability to attract security resources, node operators, or community participation.

Risk Factors

  • TWO MAJOR EXPLOITS: $611M (2021) and $4.4M (2023) — pattern of catastrophic security failures.
  • Centralized key management: 3-of-4 multisig controlling the entire bridge.
  • Destroyed trust: No rational user should trust this bridge with significant value.
  • Minimal TVL and usage: Effectively abandoned by the market.
  • Architectural flaws: Fundamental access control failures in cross-chain verification.
  • No meaningful security improvements: Second exploit suggests inadequate remediation after the first.
  • Reputational damage: "Poly Network" is synonymous with bridge exploits in the crypto community.

Conclusion

Poly Network will be remembered in crypto history for two things: the spectacular $611 million hack (and the equally spectacular return of funds), and the demonstration that bridges with centralized key management are fundamentally unsafe. The fact that the protocol was exploited a second time two years later, through a different attack vector, confirms that the security failures were systemic rather than isolated.

The 1.8 score reflects a protocol that has failed at its most fundamental requirement — keeping user funds safe. The technology earned 3 points for the basic cross-chain architecture (which functionally worked), and the remaining dimensions score at or near minimum. The $611M hack's return does not redeem the security failure — it was returned primarily because funds were frozen, not because the protocol's security worked.

Poly Network's legacy is as a cautionary tale: cross-chain bridges are only as secure as their weakest point, and centralized key management is a single point of failure that can — and did — result in catastrophic loss. Do not use Poly Network.

Sources