POLY NETWORK & HACKER

13-AUG-2021

• Aug-13-2021 12:13:03 PM +UTC

From White Hacker to Community

https://etherscan.io/tx/0x42446ccc66bb48eac7bd905ae7d79708f303849802b280eb4d65770c1bfc0997

Q & A, PART SIX:

Q: SPECIAL FORCE?

A: DO YOU MEAN THEY HAVE CALLED THE FBI? WHERE IS THE CLAIM? IN FACT, I DON'T THINK THEY HAVE TRIED TO CONTACT ME. I WILL GO THROUGH MY MESSAGE LIST LATER. (JUST START PROCESSING THE HUGE LIST TODAY, SORRY)

I AM GLAD THAT THEY AND OTHER SECURITY TEAMS MIGHT BE BENEFICIAL FROM THE GAME. EVEN THE EXPLOIT ITSELF COULD BE A TASTY FOOD FOR THE RESEARCHERS.

Q: ANYTHING ABOUT SECURITY TEAMS?

A: IT'S FUN FOR ME WATHCING THE EMERGENCY RESPONSES FROM TOP TIER SECURITY TEAMS (ONLY IN BLOCKCHAIN OF COURSE).

_NOTICE: THE FOLLOWING TIMELINE COULD BE WRONG!_

AT THE BEGINNING, MOST EXPERTS WERE TALKING ABOUT THE SINGLE KEEPER OF THE INSIDER CONSPIRACY. BASED ON WHAT I HAVE SEEN, @kelvinfichter WAS THE FIRST GUY POINTING OUT THE MOST CRUCIAL BUT OBVIOUS BUG ABOUT THE ETH CONTRACT. (I GOT YOUR ENCRYPTED INQUIRY ;) ) THEN THE SLOW MIST TEAM GOT EXCITED ABOUT THE BAIT AND ANNOUNCED THE GOOD NEWS ABOUT THE TRACES. DIDN'T THEY THINK IT'S TOO OBVIOUS SINCE THE SOURCE OF MY FUNDING WAS ALREADY LABELED "HOO"? ANY WAY, THEY TOOK THE RESPONSIBILITY TO LET THE COMMUNITY CALM DOWN. IT'S AN UNEXPECTED SIDE EFFECT, BUT IT'S VERY IMPORTANT. LATER THEY SEEMED BUSY HANLDING INQUIRIES AND DOUBTS FROM THE MEDIA AND THE COMMUNITY. I AM VERY HAPPY THAT THEY ARE HELPING ME TO FINISH THE GUIDING OR EDUCATION PART. THE DARK KNIGHT FINDS HIS HARVEY DENT! THANK YOU, THE SLOW MIST TEAM. THE OTHER SECURITY TEAMS DID NOT SEEM AS ACTIVE AS THE SLOW MIST, BUT THEY CONTRIBUTED TO EXPLAINING MORE DETAILS OF THE EXPLOIT. I THINK CERTIK WAS THE FIRST TO PUBLISH THE MISSING PART ABOUT THE ONTOLOGY INVOCATION. PECKSHIELD ALSO MENTIONED ABOUT THE KICKING OFF TRANSACTION AND THE SPECIAL SIGNER. KUDOS!

Q: ANYTHING ABOUT THE DEFI/BLOCKCHAIN SECURITY?

THE SECURITY IS A TOUGH JOB, NO MATTER IF IT'S IN CLASSIC OR CRYPTO WORLD. IN MOST CASES, WE SECURITY EXPERTS ARE ONLY SUMMONED AS THE MEDICAL EXAMINERS AFTER THE INCIDENTS. WHAT WE DO IS JUST WRITING POSTMORTEMS, SOMETIMES TRACING THE BAD GUYS. IT'S ALMOST THE SAME IN THE CRYPTO WORLD, EXCEPT THAT SOME PROJECT ARE NOT VERY URGENT GETTING THE MONEY BACK SINCE IT'S NOT THEIR MONEY, THEY WOULD JUST TELL THE REAL VICTIMS THAT "SORRY WE TRIED BUT NEVER GURANTEED THE EXTREME SECURITY".

ANOTHER FUNNY FACT IS THAT IT'S UNUSUAL TO SEE ANY PROFESSIONAL SECURITY TEAMS REPORT THOSE CRUCIAL BUGS OF LIVE CONTRACTS! SURE, THEY CAN ALWAYS TEACH YOU WHY YOU WERE KILLED AFTER YOUR DEATH! WHY DON'T YOU SEE ANY CASES THAT THE SECURITY TEAMS SPOT THE VULNERABILITY THAT AFFECTS MILLIONS USD, LET ALONE CASES IN BILLIONS? BECAUSE THEY ARE NOT PAID? I GUESS MOST TEAMS ARE EVEN RICHER THAN ME, AND SOME OF THEM MIGHT BE MORE CAPABLE THAN ME, DO YOU BELIEVE THAT THEY HAVE NEVER FACED THE SIMILAR TEMPTATION? OR SOME OF THEM JUST SURRENDERED TO THE EVIL? IT REMINDS OF THE FILM, "SEARCHING". JUST MY CONSPIRACY, AND THAT'S THE REASON I DON'T TRUST ANYONE, BUT YOU CAN ALWAYS BELIEVE IN ME.

15-AUG-2021

• Aug-15-2021 04:51:43 PM +UTC

From White Hacker to PolyNetwork

https://etherscan.io/tx/0x0ae3d3ce3630b5162484db5f3bdfacdfba33724ffb195ea92a6056beaa169490

I AM SO FLATTERED. I HAVE ALWAYS BEEN LOOKING FOR _FUNNY_ AND _RATIONAL_ IDEAS, LET ME SHARE THEM WITH YOU:

1. TURNNING THE ETHEREUM NETWORK TO BE A REAL ANONYMOUS TWITTER OR WHATSAPP! IT HAS BEEN WITNESSED THAT THE OBSTACLES OF MY NEGOTIATION WITH THE POLY WAS THE MAJOR CAUSE OF THE LATENCY: WE HAVE SPENT HOURS REACHING A CONSENSUS ON COMMUNICATION PROTOCAL! THE ETHEREUM HAS THE POTENTIAL TO BE A SECURED AND ANONYMOUS COMMUNICATION CHANNEL, BUT ITS NOT FRIENDLY TO AVERAGE USERS. THE EXTRACTION OF MESSAGE REQUIRES SOME THEQUINIES, THE ENCRYPTION OF MESSAGE IS A MORE ADVANCED SKILL. I HAVE NO RESEARCH ON EXISTING PROJECTS. AND THE GAS FEE STOPS MOST USERS, THOUGH IT DOES NOT STOP REFUGEES. IS IT POSSIBLE TO ULTILIZE THE ETH NETWORK FOR FREE BY USING EXTREMELY LOW GAS? A SNAPCHAT ON CHAIN?

2. WANDERING IN THE DEFI WORLD. IMPACT AND DIFFICULTY ARE THE TWO KEY FACTORS THAT DRIVE MY HACKING JOURNEY. AS I SAID HACKING IN DEFI IS NOT AS EXCITING AS HACKING THE REAL HARDCORE WORLD, ITS SO HOT THANKS TO THE CRYPTO BUBBLE AND THE RISK TAKING CROWD. I WILL INVEST MOST TIME IN LEARNING & HACKING OTHER STUFFS WHICH ARE ALSO IMPORTANT IN THE REAL WORLD, BUT I MAY HANG OUT AT NIGHT TO SEE IF THERE ARE THE POTENTIAL VULNERABLE PEOPLE. GIVEN THE CREDIT OF THIS ADDRESS, I THINK PEOPLE DONT NEED TO WORRY WHEN THEIR ASSETS ARE SECURED BY THIS ADDRESS. FOR SECURITY NOOBS, YOU HAVE TO KNOW THE DIFFERENCE AMONG HACKINGS: SOME ACTIVITIES ARE DEFINITELY CRIMES, LIKE RUG PULLING OR STEALING SOME PRIVATE KEYS. SOMETIMES EXPLOITING A VULNERABILITY IS LIKE WHISPERING A MAGIC SPELL TO BE THE OWNER OF THE BEAST. IN THE POLY HACK, I JUST TRIGGERED THE INTRINSIC BEHAVIOUR OF THE WILD SYSTEM BY LEGIMATE INSTRUCTIONS AND PROVED ITS DESTRUCTIVENESS. IN THE MEANWHILE, THIS PROCESS DOES NOT HURT THE ECONOMY OF THOSE TOKENS. IN CONTRAST, SOME HACKINGS MAKE PROFIT FROM DUMPING THE SHITCOIN (WHICH IS USUALLY THE REWARDING TOKEN OF THAT SHIT PROJECT) AND THEY CAUSE UNRECOVERABLE DAMAGE TO THE WHOLE PROJECT! THAT IS TO SAY, MY FUTURE ADVENTURE, IF THAT HAPPENS, WILL NOT BE AS DELIGHTFUL AS THE POLY HACK, SINCE PROTECTING THE ASSETS IS ALWAYS MY FIRST PRIORITY.

• Aug-15-2021 05:22:20 PM +UTC

From White Hacker to Community

https://etherscan.io/tx/0x1f3ff47b612f2c92a8bda39ba310c38b22a32dca94a38d7073abbc9bb53c1dbc

QUICK Q & A, PART (INCREDIBLE) SEVEN:

A: I AM FAIRLY CONFIDENT OF THEIR DESIRE AND CAPABILITY TO RECOVER AND SECURE THE PROJECT WHICH HAS BEEN DESIGNED AS A ROBUST SYSTEM. MY ONLY CONCERN IS THAT THE POLY CHAIN, THE CORE PART OF THE WHOLE NETWORK, IS _NOT VERY DECENTRALIZED_, AND THAT IS NOT SOMETHING I CAN CONTRIBUTE TO. MAYBE I AM _WRONG_.

A: I PREPARED TWO KEYS FOR THAT WALLET, ONE WILL BE PUBLISHED AND THE OTHER IS THE BACKUP. ASK THE POLY FOR MORE DETAILS.

A: THIS STORY HAS ITS HAPPY ENDING, BUT IT MAY NOT BE THE END OF MY WILD ADVENTURE. DO YOU THINK THE CREDIT OF THIS ADDRESS WILL BE HELPFUL FOR THE DARK KNIGHT?

A: NO. I WILL CHECK IT LATER. IT'S WEEKEND.

A: IT'S WEEKEND. I JUST WATCHED WRATH OF MAN. (LEAKING IDENTITY 4?)

• Aug-15-2021 03:29:07 PM +UTC

From White Hacker to PolyNetwork

https://etherscan.io/tx/0x578da109df18e8bc472ea2461b4977420ef0585d3f8fec252ecb8e5d681cb0ea

TBH I THINK THE POLY NETWORK IS A MASTERPIECE. IT'S MORE CAREFULLY DESIGNED THAN OTHER CROSS CHAIN PROJECT. HOWEVER, IT'S HARDER TO REVIEW DUE TO ITS COMPLEXITY. I TRIED TO CONVINCE THE COMMUNITY THAT IT HAD THE POTENTIAL TO BE THE MOST SUCCESSFUL CROSS CHAIN PROJECT AS IT USED TO BE, BUT I FELT THAT SOME SECURITY TEAMS WERE DOWNPLAYING THE QUALITY OF THIS PROJECT TO BOAST THEIR CAPABILITY OF QUICK POSTMORTEM. I HAVE NEVER THOUGHT OF HURTING THE DEVS WHO REALLY DEVOTED TO THEIR PROJECT, BUT I CAN NOT CONTROL THE WHOLE MEDIA. AS YOU KNOW, THE POLY CHAIN IS A NETWORK REQUIRES REGISTRATION, WHICH IS THE _CENTRALIZED_ PART WHICH I AM NOT ALLOWED ACCESS AND I CAN NOT TRUST, SO I HAD TO CONTINUE BLOWING UP THE _OBVIOUS_ PART OF THE EXPLOITATION CHAIN SO THAT THE REAL ASSETS COULD BE SAVED BEFORE ANY CAPABLE INSIDER FIGURING OUT THE POTENTIAL ATTACK VECTOR. FOR THE _CENTRALIZED_ POLY CHAIN, I THINK IT'S STILL A BIG LOOPHOLE OF A BILLION PROJECT, NO MATTER IF THE CONTRACTS ARE PERFECTLY IMPLEMENTED. YOU ARE FREE TO SHARE OR PUBLISH THIS MESSAGE. BTW I HAVE BEEN TOLD THAT THIS PROJECT IS HEAVILY USED BY ASIAN OR CHINESE DEFI USERS, BUT I DID NOT FIND MANY VOICES IN PUBLIC. DO YOU HAVE ANY SOURCES OF THE OPINIONS FROM COMMUNITY?

• Aug-15-2021 06:28:58 PM +UTC

From White Hacker to Community

https://etherscan.io/tx/0x0cf3678a08c93947a7e08f6f0d07609aef4f25bbe27215914bc46e12074fed8f

NOT JUST AMA BUT MY WARNING SINCERELY! SINCE I HAVE NO WAY HEARING ALL YOUR VOICE, I AM VERY WORRIED THAT SOME OF YOU GUYS MAY NOT UNDERSTAND THE REAL DANGER OF THIS WILD WORLD OF CRYPTO! HOPE THE MEDIA COULD BROADCAST MY VOICE SERIOUSLY:

I HAVE SPENT A LOT OF TIME EXPLAINING THE SECURITY STUFF. I CLAIMED THAT I WAS SUPER ANONYMOUS AND SECURE, WHY? BOASTING MYSELF? SOME PEOPLE READS IT AS "HE IS BLUFFING BECAUSE OF FEAR AND THE SECURITY TEAMS WHO HAVE TRACED HIM ARE ON THE WAY". WAKE UP BOYS! THEY ARE NOT THE GOD, THEY CAN NOT SAVE YOU! I CAN NOT SAVE YOU! YOU SHOULD LEARN TO PROTECT YOURSELF!

I HAVE EXPLAINED THE SITUATION OF SECURITY INDUSTRY (SEE P6Q1Q3), AS EXPERIENCED SECURITY EXPERTS, WE KNOW ALL THE WAYS OF TRACING THE BAD GUYS, THAT IS TO SAY, WE KNOW ALL THE WAYS OF HIDING FROM GOOD GUYS. IN THE REAL WORLD, THE GOVERNMENT AND POLICE MAY STAND ON YOUR SIDE, BUT THERE IS NO SUCH A UTOPIA IN THE CRYPTO WORLD! THE POINT OF CLAIMING MY ANONYMITY, ALONG WITH THE LESSONS ABOUT FEARLESS LAUNDERING, IS TO CONVINCE YOU THAT THERE ARE ALWAYS PERFECT HACKS THAT CAUSE PERMENANT DAMAGE FOR REAL! DON'T BE NAIVE! DON'T BELIEVE IN SO CALLED EXPERTS, ESCPECIALLY THOSE WHO CONCLUDE THAT "IT'S THE EVIDENCE THAT THE CRYPTOWORLD IS STILL SOMETHING CAN BE REGULATED"! PROTECT YOURSELF, OR JUST LEAVE THE CASINO!

16-AUG-2021

• Aug-16-2021 03:31:16 AM +UTC

From PolyNetwork to White Hacker (encode)

https://etherscan.io/tx/0xb0f349dada561574d1dde4850dc42c8de4ee0fcc10d0075f6304e4b0d80122a3

NOT APPROPRIATE FOR DISCLOSURE DUE TO PRIVACY CONCERNS

• Aug-16-2021 01:45:13 PM

From White Hacker to Community

https://etherscan.io/tx/0xea8ffdabd3dc2a43b643640be59a93953fa25d273d5beaa34ed96b7fc5f3d033

THANKS FOR YOUR SINCERE ADVICE!

YOU ARE 99% CORRECT ABOUT THE STORY BUT YOU ARE MISSING THE KEY POINT: YOU DON'T KNOW ME. MONEY MEANS LITTLE TO ME, SOME PEOPLE ARE PAID TO HACK, I WOULD RATHER PAY FOR THE FUN. I AM CONSIDERING TAKING THE BOUNTY AS A BOUNUS FOR PUBLIC HACKERS IF THEY CAN HACK THE POLY NETWORK. (THEY CAN WIN DOUBLE IF THEY FEEL THE CURRENT PLAN IS AWKWARD). IF THE POLY DON'T GIVE THE IMAGINARY BOUNTY, AS EVERYBODY EXPECTS, I HAVE WELL ENOUGH BUDGET TO LET THE SHOW GO ON. JUST SOME FUNNY THOUGHTS BUT I MAY PROBABLY MAKE THEM COME TRUE. IF YOU ARE STILL CONFUSED, ASK SOME RICHER FRIENDS, WHAT IS MONEY FOR?

I TRUST SOME OF THEIR CODE, I WOULD PRAISE THE OVERALL DESIGN OF THE PROJECT, BUT I NEVER TRUST THE WHOLE POLY TEAM.

MY ONLY GUILTY WAS TRIGGERED FROM THE REFUGEES. ALL OF MY ACTIONS WERE DETERMINED SINCE I MADE THE FINAL DECISION TO BE THE ETERNAL. I AM A LITTLE BIT SURPRISED THAT YOU CALL THEM PROFESSIONAL NEGOTIATORS, JUST LOOK AT THEIR TENSE AND REPETITIVE WORDS. IF THE POLY REALLY GOT MY INITIAL IDEA, THEY COULD BE LESS EMBARASSED. I PUBLISHED THEIR REQUEST SO THAT THEY GOT THE CHANCE TO BE A WINNER. WHO DO YOU THINK IS DOMINATING THE GAME?

• Aug-16-2021 04:56:11 PM +UTC

From White Hacker to Community

https://etherscan.io/tx/0xe28a27546b3b7b0910d16d47352e27edd1541bccf817c2d938079504a1a3dc66

Q & A, PART (TECHNICALLY) EIGHT:

Q: WHEN WILL YOU PUBLISH THE KEY?

A: `I WILL PROVIDE THE FINAL KEY WHEN _EVERYONE_ IS READY.` MY IDEA IS NOT CHANGED, BUT I DO WORRY IT MIGHT BE AN ENDLESS WAR. SO I MIGHT RELEASE IT EARLIER AS LONG IF THE COMMUNITY UNDERSTANDS EVERYTHING. SEE NEXT QUESTION.

Q: HOW IS THE SECURITY OF CURRENT CONTRACTS?

A: IT'S HARD TO SAY. I LEAVE IT AS A CHALLENGE ALONG WITH THE HINTS FROM P1Q3Q4/P2Q1 TO THE SECURITY TEAMS. MAYBE THEY PRETENDED NOT KNOWING THE SUBTLE FACTS.

IF YOU WERE WILLING TO UNDERSTAND MY BEHAVIOR, AND HAD READ MY DIARY AND THE CODE, YOU SHOULD BE ABLE TO ANSWER THE QUESTION: WHY TRANSFERING IMPORT TOKENS IS KEEPING IT SAFE?

IN THIS HACK, I CONVINCED THE KEEPERS TO APPROVE AN EXECUTION THAT WILL UPDATE THE KEEPER'S PUBKEY IN THE MANAGER CONTRACT. THEN THE MANAGER WHO IS AUTHORIZED TO OPERATE ON THE VAULT IS UNDER MY CONTROL. SOME SNOW WHITE HACKERS WOULD SAY THAT: I CONTROLLED THE KEY, LETS REPORT TO THE DEVS, OTHERWISE I AM NO LONGER GOOD BOY AND DAD WILL BLAME ME. MY OPERATION CONTINUED, NOT ONLY FOR FUN, WHICH WAS THE MAJOR REASON, BUT ALSO FOR THE TRUST ISSUES.

THEIR AUDITS AND CLAIMS ARE MITIGATIONS AROUND THE CROSS CHAIN MANAGER(ECCM). IS IT THE MOST PRIVILEGED CONTRACT? NO! THE VAULT ASKS THE CROSS CHAIN MANAGER PROXY(ECCMP) FOR THE REAL MANAGER. THE ECCMP CAN BE CONFIGURED BY THE OWNER OF VAULT. IN SHORT, THE PRIVILEGED OWNER ACCOUNT OF THE VAULT IS SO POWERFUL THAT IT CAN BYPASS ALL THE SECURITY MECHANISMS BUILT IN THE ECCM.

IT SOUNDS LIKE A COMMON SCENARIO OF DEFI WORLD. MANY DEVS DESIGN SIMILAR SYSTEMS LIKE THAT, THEY NEVER EXPECT THE SYSTEM HAVE TO DEAL THE TRUST ISSUES IN BILLION DOLLARS SOMEDAY. I WOULD LIKE TO SEE A BILLION DOLLAR PROJECT CAN BE BUILT ON A TRUSTLESS SETUP, AND HOPEFULLY IT DOES NOT REQUIRE A PRIVATE CHAIN AS RELAYERS.

TRUSTING THE SINGER DEV'S KEY IS ROUGHLY EQUIVALENT TO TRUSTING THE MULTISIG WALLET. NOW THE WHOLE PROJECT HAS BEEN MONITORED BY THE HUGE CROWD, IF EVERYONE IS READY TO ACCEPT THE FINAL KEY, I WILL BE RELIEVED FOR NOT BEING THE SUPERVISOR.

17-AUG-2021

• Aug-17-2021 12:54:02 PM +UTC

From White Hacker to Community

https://etherscan.io/tx/0x8ad83154b2e80390f3b7d2d7eb0b21e94c0e20f80d78ab614a5b7f019d31e645

MY BAD JOKE TODAY:

P: SIR, COULD YOU PLEASE UNLOCK THE ACCOUNT WE SCREWED UP LAST WEEK?

T: WHICH ONE?

P: THE WHITE HAT HACKER. HE IS THE SAVIOR.

T: NO. WE WERE TOLD THAT HE WAS A BAD GUY.

P: WHO SAID THAT?

T: IT'S YOU.

P: ...

P: BUT HOW COULD I PAY HIM IN T?

T: ...

T: ANY WAY YOU SHOULD NOT TRUST ANY ANONYMOUS GUY IN THE CRYPTO WORLD.

P: SURE, BUT I PREFER TRUSTING MY CHIEF SECURITY ADVISOR RATHER THAN A DICTATOR.

JUST FOR FUN

18-AUG-2021

• Aug-18-2021 07:15:38 AM +UTC

From PolyNetwork to White Hacker

https://etherscan.io/tx/0xc23d9188bd6ba5c3b7c819bd2973967d01fcbe4ed5bf79120df6d334b094938a

Greetings Mr. White Hat.

In the light of the ideas that you have shared on public forums, we feel that you share the same vision as Poly Network - to build a secure, transparent, and decentralized protocol in the blockchain world. If we can figure out a way to move forward together, this could turn into a unique experiment for the industry. We think the first step in this collaboration can be to use the previously mentioned 160 ETH Bounty as a safety fund, managed using an address attributed to you (e.g. 0xA87fB85A93Ca072Cd4e5F0D4f178Bc831Df8a00B ?) to reward those who make outstanding contributions to the industry's security in the future.

Blockchain is a whole new world, but in a short time span has made itself relevant to many people's lives. Since this incident first occurred, our team has been working around the clock to restore normal operations to Poly Network as soon as possible. There are many projects and users using Poly Network services and we want to minimize the impact on them. Hence, a secure method to swiftly restore our network is currently our top priority. The assets in Poly Network do not belong to us, but to the users, and we have felt the panic of many users who are concerned about the loss of asset rights. We hope you can provide us with your private key to help us restore the assets of affected users as soon as possible and alleviate the panic.

We as a group also have our own beliefs and ideas about blockchain, which is why we launched Poly Network. We firmly believe that blockchain isn't just limited to being a new technology, but also a fresh concept and a whole new method of collaboration. We hope Poly Network can become a part of the Web 3.0 infrastructure and facilitate interoperability for different ledgers in the future blockchain world. Before this incident, we decided to upgrade Poly Network to a completely decentralized network, which will be a major upgrade on Poly Network after about two months. Here's a link to the code- https://github.com/polynetwork/Zion. In this new upgrade, we have worked on a new network consensus mechanism, the protocol architecture and the token economy model. We planned on announcing this on August 18 2021, the first anniversary of Poly Network's mainnnet launch, and were prepared for the entire campaign. So, you can rest assured that we are, in fact, moving towards a common goal.

Poly Network is a complex system. Interoperability between heterogeneous chains is a new venture, and we need time in order to finish up the new upgrade. After this upgrade goes live, the new Poly Network will operate in a decentralized fashion. We understand your concerns, and so we propose modifying the privileges to a multisignature mechanism for relay chain verifiers that would finally determine the upgrade.

No good protocol is built overnight, and we built Poly Network with the goal of building a protocol that belongs to everyone. That is the philosophy with which we entered this blockchain world in the first place. So we encourage more people that share our vision to join us, and we very much hope you will participate in the decentralization process of Poly Network and contribute to protocol security by playing an important role within Poly Network in the future.

Perhaps the current version of Poly Network is not perfect from a decentralization point of view, but we hope you understand our plans for the project, and the anxiety on part of the users. We believe that after we leave this incident behind, you can join the Poly Network team to discuss future upgrade plans, not just from a security perspective, but also weighing in on more aspects so that we can make Poly Network a better, secure, and more open system together.

Poly Network Team

• Aug-18-2021 12:16:49 PM +UTC

From White Hacker to Community

https://etherscan.io/tx/0x3598218cba95e97d805eeaead681ec11738245ee9d3b4d99162419b6b74f3042

DEAR POLY,

GLAD TO SEE THAT YOU ARE MOVING THINGS TO THE RIGHT DIRECTION! YOUR ESSAYS ARE VERY CONVINCING WHILE YOUR ACTIONS ARE SHOWING YOUR DISTRUST, WHAT A FUNNY GAME. YOU DON'T EVEN THINK TO UNLOCK MY USDT ACCOUNT.

I AM NOT READY TO PUBLISH THE KEY IN THIS WEEK. IF YOU ARE WORRY ABOUT THE INTEREST, I COULD SIGN THE TRANSACTION OF DAI TOKEN TO THE PREVIOUS MULTISIG WALLET, THEN YOU CAN DEPOSIT THE STABLES LIKE WHAT I DID LAST WEEK. NOW IT'S THE SAME SITUATION WITH A FEW DAYS AGO: IF YOU TRUST ME, YOU CAN HAVE A GOOD REST AND FOCUS ON THE REPAIRING AND RESTORING PROCESS. HERE IS ONE THING THAT YOU CAN ALWAYS TRUST ME: HOLDING BTC & ETH IS BETTER THAN TRADING THEM.

• Aug-18-2021 04:27:54 PM +UTC

From PolyNetwork to White Hacker

https://etherscan.io/tx/0x2360ad9f0435083154d03f22ae0f02b4ed801d866410ce7c3337d259f5887e0c

Greetings Mr. White Hat.

Thank you very much for your suggestions, but we are unlikely to get a proper rest until we fully return the user assets. For us, there is still a lot of work to be done. Recovering everything as soon as possible is our first priority.

Regarding the issue of locked USDT you brought up, we are already communicating with Tether. For Tether, how to deal with this USDT pool is a question that requires careful consideration and prudent decision-making. We believe that there will be a concrete result soon, and we also need this part of assets to complete the full asset recovery.

We well understand your idea to deposit DAI to earn interest from it, but unfortunately Poly Network does not have the right to perform any operations on the user’s assets. What we can do is to convert DAI back to USDC to restore the user’s assets. We will use our own funds to compensate the slippage incurred in the transaction, but we still hope that you can return DAI to us first, which will help us convert into USDC in batches and reduce the slippage costs.

At the same time, even though we did not receive your feedback on the matter yet, we still decided to go ahead and transfer 160ETH to the address (0xA87fB85A93Ca072Cd4e5F0D4f178Bc831Df8a00B). We hope that the funds can be used to incentivize more security experts to contribute to blockchain security in the future.

With regards to Poly Network's decentralization upgrade, we decided to use the multi-signature of relay chain validators to authorize upgrades. We also hope to invite you to participate in the future development of the Poly Network. If you want, your address (0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963) can be one of the validators.

Finally, we still hope you can provide the key to us this week, because thousands of users are waiting get their assets back. The sooner the asset recovery can be carried out, the more negative emotions will be avoided, and we believe it is the right way to treat our users.

Poly Network Team

• Aug-18-2021 12:16:49 PM +UTC

From White Hacker to Poly Network / White Hacker REFUND

https://etherscan.io/tx/0x7563df0ea875d3f7ef056c1084c50312b9b79974c2152e372ec15b355bd3322c

I SEE YOUR POINT. PLEASE BE PATIENT. JUST SIGNED TRANSACTIONS OF USDC & DAI A FEW HOUR AGO.

• Aug-18-2021 11:18:19 PM +UTC

From White Hacker to Poly Network

https://etherscan.io/tx/0x29939d068232548715cdf2f7069bd42f5146b3200bbfbef8f1e8d565786c83af

I GOT TONS OF CHINESE COMMENTS ON MY BSC ADDERSS. SOME RANDOM STUFF IS FUN. BUT WHY ARE THEY ASSUMING HACKERS ARE BLACK PEOPLE? ISNT THAT WEIRD?

19-AUG-2021

• Aug-19-2021 03:20:50 AM +UTC

From Community to White Hacker (encode)

https://etherscan.io/tx/0x38ad10b88d9f1f49d91f54297d5802073e724854920c703a39ad71574827d49c

Q: BUT WHY ARE THEY ASSUMING HACKERS ARE BLACK PEOPLE?

A: THEY ARE JUST IMAGING WHAT THEY WILL DO IF THEY CAN TAKE SUCH AMOUNT OF MONEY. IF SOMEDAY THEY HEARD A BUG OF SOME PROJECT, THEY WILL STEAL THE MONEY EVEN IF THEY NEVER KNOW HOW TO HIDE THEMSELVES.

> 1: IT'S A SERIES OF HARD QUESTIONGS. I DON'T KNOW. AND I HAVE A FEELING THAT YOU KNOW THE POLY MUCH BETTER THAN ME, WHY NOT ANSWERING IT FOR ME?

LOL FOR THIS

• Aug-19-2021 03:19:43 PM +UTC

From White Hacker to Community

https://etherscan.io/tx/0x2626407ef8b417ae095c3bddfd9971c2e1054083d11ab2240246141a776d9204

NOT AMA, BUT A TOUGH STORY

IT MIGHT BE THE MOST WEIRD EXPERIENCE IN MY LIFE TO COOPERATE WITH A CHINESE TEAM.

I FELT INCONSISTANCE FROM THIS GROUP OF PEOPLE. THEY BUILD THINGS CARELESSLY, BUT THEY CAN FIX THEM QUICKLY. THEY ARE GOOD AT BARGAIN AND BOASTING. THEY KNOW HOW TO TREAT AND HOW TO TRICK. THEY CAN DESIGN SOPHISTICATED CRYPTO PROTOCOLS BUT THEY DON'T KNOW HOW TO APPLY THE SKILL IN REAL WORLD.

I HAVE BEEN TRYING TO COOPERATE WITH THEM THROUGH ETHEREUM WHICH SHOULD BE EFFICIENT AND ELEGANT, BUT IT'S NOT AS SIMPLE AS I EXPECTED. IT TOOK HOURS TO SETUP THE ENCRYPTED CHANNEL FOR INITIAL COMMUNICATION. SINCE THE CHANNEL IS ONLY FOR VULNERABILITY DISCLOSURE, I WILL DECRYPT ALL THE MESSAGES HERE FOR TRANSPARENCY. (SEE THE APPENDIX). NO MORE ENCRYPTION FROM NOW ON.

I JUST WANT TO MAKE THE IT _PERFECT_, SO I _REALLY CARE_ ABOUT RETURNING THE LOCKED USDT. I CAN UNDERSTAND THOSE CHINESE GUYS ARE AFRAID OF BEING SCAMMED, SO I SUGGESTED THAT I CAN RETURN MUCH MORE MONEY THAN THE LOCKED USDT SO THAT THEY WON'T LOSE MORE FOR SURE. THEN I STARTED TRANSFERING EVERYTHING IN BSC & MATIC. HOWEVER, I FELT THAT MY GOODWILL WAS IGNORED COMPLETELY. THEY WERE JUST SITTING THERE AND PUSHING ME. MAYBE THEY WERE TOO NERVOUS UNDER THE PRESSURE FROM THE COMMUNITY. I REALIZED THAT THERE WAS A BETTER WAY TO GET THEM OUT OF THE TROUBLE QUICKLY WHILE KEEPING MY DIGNITY, SO I PROPOSED BUILDING A SHARED MULTISIG WALLET. THAT'S A STRONG PROMISE THAT I WILL NOT BE ABLE TO DO ANYTHING RANDOM TO HURT ANYBODY. --I WAS SURPRISED THAT THEY HAD TROUBLE UNDERSTANDING THE MEANING OF THE SHARED WALLET AND IGNORED MY PROPOSAL FOR HOURS.-- (IT WAS MY FAULT THAT I MISSED THE CORRESPONDING RESPONSE. I DIDN'T NOTICE THAT UNTIL REVIEWING THE CHAT HISTORY TODAY) SOON THEY TRIED TO BRIBE ME WITH THEIR LIMITED BUDGET, WHAT A HILARIOUS SCENE! DID I LOOK LIKE SOME RANSOM GANGSTER? DEAR CHINESE BUSINESSMAN, MONEY IS NOT THE ONLY THING THAT MATTERS.

THE RESPONSE OF THE USDT ISSUE WAS AMBIGUOUS. IT WOULD BE MUCH MORE REASONABLE IF THEY HAD FIXED THE PROBLEM WHILE I WAS RETURNING OTHER ASSETS. NOW UNLOCKING USDT SEEMS RISKY GIVEN THAT THEY ARE THE WINNER WHO SUCCESSFULLY TRICKED THE BAD GUY TO RETURN EVERYTHING. I AM A LITTLE BIT UPSET ABOUT THEIR HYPOCRISY AND INCOMPETENCY, BECAUSE IT'S NEVER HARD TO SOLVE THE TRUSTING ISSUE AS CRYPTO ENTHUSIASTS: I CAN APPROVE THE TRANSACTION OF MY USDT FROM ANY ACCOUNT, WHICH IS A FEATURE OF THE ERC20 TOKENS, THEN THEY CAN DO THE UNBLACKLIST AND TRANSFER IT IN A SINGLE TRANSACTION OF SMART CONTRACT. IT'S A NEAT SOLUTION TO PROVE THAT ALL ASSETS HAVE BEEN TRANSFERED TO THE SECURED WALLET.

MAYBE THE POLY IS REALLY BUSY WORKING ON THE REPAIRING (AND THEY DID IT REALLY FAST). THOUGH THEY ARE JUDGING ME BASED ON THEIR HYPOTHESIS, I STAY OPEN AND HONEST ABOUT THIS INCIDENT, ANSWERING THE RANDOM QUESTIONS TO ALLEVIATE THE DISTRUST. HERE IS THE MOST WEIRD THING: THE HUGE CROWD OF CHINESE REFUGEES ARE GONE! THEY DON'T EVEN SHOW UP IN THE MESSAGE LIST OF THE MULTISIG WALLET! IT'S REALLY A STRANGE FEELING SINCE I WAS PREPARING FOR COVERING THE UNEXPECTED LOSS OF THOSE GUYS AND WAITING FOR THEIR CLAIMS AND IDEAS ABOUT THIS PROJECT. BUT THE POLY TEAM TOLD ME THAT THERE WERE THOUSANDS OF PEOPLE WHO WERE STILL WORRYING ABOUT THE POTENTIAL LOSS. NOW I BECOME A REAL JOKER: DOING GOOD THINGS IN MY OWN WAY BUT BEING HUMILIATED BY THE CROWD.

I AM KIND OF CONFUSED ABOUT WHAT A MORAL LEADER SHOULD DO, PERHAPS I SHOULD NOT HAVE TAKEN IT SERIOUSLY. ANYWAY, THINGS ARE GETTING BETTER. THE REPAIRING IS SUPRISINGLY FAST. I AM MORE THAN HAPPY TO SEE THE RETURNED STABLE COINS FUNCTIONING IN THE CROSS CHAIN BRIDGE. AND I AGREE THAT THE LIQUIDITY PLAYS A KEY ROLE IN THE RECOVERING PHASE. I AM NOT READY TO PUBLISH THE FINAL KEY IN THIS WEEK THOUGH, I CAN PROVIDE ENOUGH LIQUIDITY OF WBTC & ETH TO START THE ENGINE. GETTING TIRED OF THE MESS. IT'S REALLY A WILD AND WEIRD JOURNEY.

APPENDIX:

_TBH I DID NOT RAED SOME CRITICAL MESSAGES IN TIME, SORRY_

CONVERSATION BETWEEN THE POLY AND ME:

TX 0x64eb495eba8b2000181498910748614dbd2c4bd7d6997af20cdb92c2518b2bce: "PING ME BACK IF YOU CAN HEAR ME." (MAYBE INCORRECT)

TX 0x69534e330c5f8529759272b86e90bbacf7a5c4082683064c471e5539eacf53ba: "OR LIKE THIS" (MAYBE INCORRECT)

TX 0xea4b6061c3e42c255b9cb5e78ff7ff9211b54423ff6d95c22f48df033cc011c8: "Would you please connect with us through e9g6xdbo@poly.network"

TX 0x62d376fbb95367ba95d046c0c041531e320e93526fc282da5a1a65dacc885f47: "NO EMAIL. SORRY. THE ETHEREUM MEMORIZE. I MAY OR MAY NOT PUBLISH OUR CHAT LOG. YOU CAN CHOOSE TO BE TRANSPARENT AND TO SYNC WITH THE PUBLIC."

TX 0x4d6490b47a82e548236b4448713a973d833e439ad9fff76513d38ad2f7cb4fa5: "NEXT MOVE: UNLOCK MY USDT THEN I TRANSFER IT TO YOU"

TX 0x7a924cf530150ba0d0d8b063f33a812ccf7564d347c193d03ad3b728c5fc6ab2: "we will inform Tether as soon as you return all the asset in Polygon"

TX 0x339bee245002f1c41eff7469fe51424d48d6ef856cc81e81d66135e40968f53f: "Is this mailbox yours negotiations@cock.li"

TX 0x588732ed9ec2861e6300710a9a3dcad20d8da591e7e93da3b556d351da697477: "Please confirm your email is polyhacker@yandex.com, not negotiations@cock.li, too many fake emails."

TX 0x98b6316d3004be81c5d1b06c27472bef8097c9c922345876cd36111495ccf32a: ALREADY DECRYPTED

TX 0xdef85ff964015bbb4634f414b1f52228569912657932fa7db5c3365609befb10: "SOME TIPS: AS YOU MAY ALREADY KNOW, I TRIGGERED A NATIVE CONTRACT ON ONTOLOGY WHICH CALLED CROSS CHAIN FUNCTIONS ON THE FOUR CHAINS. THE RELAYERS SHOULD IGNORE MY TRANSACTION SINCE IT'S NOT DEFINED IN THE CONFIG. THEN I NOTICED THE INVOCATION IS ALREADY RECORDED AND PROVED BY THE POLY CHAIN, SO I CAN QUERY THE LOGS AND REPLAY THEM ON THE DEST CHAINS"

TX 0x2f47a23f49ea52a21d44e41937362a55d8addcbe2dbe13f1536da2e16fc41448: "YOU GUYS SHOULD HAVE ENOUGH FUND AND CREDIT TO START THE RECOVERING PHASE. FOR THE REST OF ASSETS, I'M CONSIDERING BUILDING A MULTISIG WALLET SHARED BETWEEN US. I WILL TRANSFER THE REMAININGS TO THAT WALLET. I WILL PROVIDE THE FINAL KEY AFTER IT'S SETTLED. YOU CAN CLAIM THAT YOU HAVE COLLECTED THE ASSETS EARLY. LET THE CRYPTO TALKS. (I MAY DISCLOSE THIS MESSAGE LATER)"

TX 0x05f90618be1e7f64230618476912dccb0091f6eb011dd983f4ac7239e846d422: ALREADY DECRYPTED

TX 0x6c2bbca8ddc9b5ff6ffb1adc0000d909646321de35a4569a3d9c6087cd733f32: "we are working on solutions based on your request"

TX 0x76c8bb50b66b9c21655c2379ebd023100aec3df551dffbb8c33ee11764b10544: I MISSED THIS ONE. "We have prepared 160 ETH of bug bounty at 0x583E25dE879e90cF5fC637F8Dc16Db8F10D91C17, and we will transfer it to a designated address after receiving all the remaining assets.)

There are two options for the receiving address of user assets:

1. Transfer to the multi-sig address on Ethereum that we provided: 0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f. This solution is helpful for users to quickly restore control of their assets.

2. We prepare a 2-2 multi-sig address together. You will be one of the co-signers, and the other co-signer is our multi-sig address: 0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f. This solution requires you to sign and return the assets later.

At the same time, we expect to upgrade Poly Network and to fix the vulnerabilities tomorrow. We hope that we can receive the remaining assets today, so that Poly Network and the related projects can be resumed as soon as possible. We wish we can continue to have your assistance regarding security after this incident is resolved."

TX 0x64c237d37a39662c8386a6f4893c5852486c3d1bbc68605465c603061ddf7d13: "N FROM YOU, 2 FROM ME, MAKE A N+2/N+1 WALLET. 1 KEY WILL BE PUBLISHED, 1 KEY IS THE BACKUP. USE ADDRESSES: 0xDbfa1dC4c1F2bd322b067b8160830F478823059D AND 0x114A38E1f18504BfCc8e4cbfEfff879d2607cE62. TEST IT BEFORE USING IT."

TX 0x80606664c4cc699c76678842eb13f14ea1e1c85ada8ecf621ee210a7be545d2c: "https://gnosis-safe.io/app/#/safes/0x34D6B21D7B773225A102b382815e00Ad876E23C2/transactions, please sign it"

TX 0x8e1f8292201459f372eb1246e5fac4b0814d9a45f9fc30fd7af599fd0d09d040: "We have received all the assets and we expect to restart Poly Network as soon as possible this week. Therefore, to restore all assets according to the original ratio, we hope that you can provide us with the private key of one of the multi-sig addresses .)

We've also noticed that you disclosed that we offered a security bounty. Regarding your contribution to the Poly Network, we still hope to provide you with our bounty reward, and hope that you can send us an address. Of course, we hope to invite you to become the Chief White Hat of Poly Network in the future and contribute to the development of the blockchain world with us."

TX 0x6c4dbf770b84d97fef3a1088cfa92f1af724dabfdbd43839b82bc9bc80b7f1c4: I MISSED THIS ONE "We are discussing with Tether team about the locked USDT."

TX 0x88cc92a023105802dbd4172f451663c6d67f8990da69f0867b3f045e26e11328: "In order to ensure the safe recovery of Poly Network's systems, we expect the following work to consist of five phases:)

1. Vulnerability fix: We will complete vulnerability fix in collaboration with multiple security agencies; will start a global Bounty program and invite more security agencies and white hat organizations to participate in the security review.

2. Mainnet upgrade: After conducting audit together with multiple security audit companies, we will update the mainnet and enable the cross-chain functions as soon as possible. We will postpone the launch of other advanced functions.

3. Putting projects back online: After completing assessment by the security agencies, we will gradually restore the cross-chain services of some projects that use Poly Network.

4. Asset recovery: After receiving the authorization with your private key, we will perform asset recovery as soon as possible to make preparations for users to freely withdraw their assets.

5. Restart of all services: After all assets are fully recovered, we will fully restore all the functions of the Poly Network and will return the control of the assets to the users."

TX 0x96cf55c87fd9eddced690c4dc05dcc37247910bd8873bef52b55a977f345330d: "This is the PR to fix vulnerability, https://github.com/polynetwork/eth-contracts/pull/12/files"

TX 0xa53f6bb54b3dfa4fcca5b307a8a0b56c3a683dc6cfee5ed7415c57a5a1aff3b7: I MISSED THIS ONE "We will update the mainnet and enable the cross-chain functions tomorrow. In addition to the 160 ETH Bounty (converted from $500k at then) we previously promised, we will release a new $500k Bounty Program for global security agencies. Before that we also expect to get your comments on this Hotfix PR."

TX 0x393cec648733d3fd1448ae5620700f505c357e6b684e5bcc0d584ca3b0ede5bd: "Today the Poly Network mainnet has been relaunched, and the cross-chain transfer has been enabled for some projects . Thank you very much for your support and assistance. We have carefully reviewed your suggestions to everyone. As you mentioned yesterday, "SINCE PROTECTING THE ASSETS IS ALWAYS MY FIRST PRIORITY", we hope to restore the ability to use and make cross-chain transfers of major assets to our users as soon as possible. We would like to know in which way you plan to transfer your private key to us. This will speed up the process of giving the control of assets back to users."

SOME ENCRYPTED TEXTS (FROM A TRUE INSIDER):

TX 0x578da109df18e8bc472ea2461b4977420ef0585d3f8fec252ecb8e5d681cb0ea: "TBH I THINK THE POLY NETWORK IS A MASTERPIECE. IT'S MORE CAREFULLY DESIGNED THAN OTHER CROSS CHAIN PROJECT. HOWEVER, IT'S HARDER TO REVIEW DUE TO ITS COMPLEXITY. I TRIED TO CONVINCE THE COMMUNITY THAT IT HAD THE POTENTIAL TO BE THE MOST SUCCESSFUL CROSS CHAIN PROJECT AS IT USED TO BE, BUT I FELT THAT SOME SECURITY TEAMS WERE DOWNPLAYING THE QUALITY OF THIS PROJECT TO BOAST THEIR CAPABILITY OF QUICK POSTMORTEM. I HAVE NEVER THOUGHT OF HURTING THE DEVS WHO REALLY DEVOTED TO THEIR PROJECT, BUT I CAN NOT CONTROL THE WHOLE MEDIA. AS YOU KNOW, THE POLY CHAIN IS A NETWORK REQUIRES REGISTRATION, WHICH IS THE _CENTRALIZED_ PART WHICH I AM NOT ALLOWED ACCESS AND I CAN NOT TRUST, SO I HAD TO CONTINUE BLOWING UP THE _OBVIOUS_ PART OF THE EXPLOITATION CHAIN SO THAT THE REAL ASSETS COULD BE SAVED BEFORE ANY CAPABLE INSIDER FIGURING OUT THE POTENTIAL ATTACK VECTOR. FOR THE _CENTRALIZED_ POLY CHAIN, I THINK IT'S STILL A BIG LOOPHOLE OF A BILLION PROJECT, NO MATTER IF THE CONTRACTS ARE PERFECTLY IMPLEMENTED. YOU ARE FREE TO SHARE OR PUBLISH THIS MESSAGE. BTW I HAVE BEEN TOLD THAT THIS PROJECT IS HEAVILY USED BY ASIAN OR CHINESE DEFI USERS, BUT I DID NOT FIND MANY VOICES IN PUBLIC. DO YOU HAVE ANY SOURCES OF THE OPINIONS FROM COMMUNITY?"

TX 0x5ca0c6d1380fbbea5152ac35d6c876c5accc91d6a7d960f75ed534ed5bdfa1e5/0xb0f349dada561574d1dde4850dc42c8de4ee0fcc10d0075f6304e4b0d80122a3: NOT APPROPRIATE FOR DISCLOSURE DUE TO PRIVACY CONCERNS

TX 0x29939d068232548715cdf2f7069bd42f5146b3200bbfbef8f1e8d565786c83af: "I GOT TONS OF CHINESE COMMENTS ON MY BSC ADDERSS. SOME RANDOM STUFF IS FUN. BUT WHY ARE THEY ASSUMING HACKERS ARE BLACK PEOPLE? ISNT THAT WEIRD?"

TX 0x38ad10b88d9f1f49d91f54297d5802073e724854920c703a39ad71574827d49c: "Q: BUT WHY ARE THEY ASSUMING HACKERS ARE BLACK PEOPLE?

A: THEY ARE JUST IMAGING WHAT THEY WILL DO IF THEY CAN TAKE SUCH AMOUNT OF MONEY. IF SOMEDAY THEY HEARD A BUG OF SOME PROJECT, THEY WILL STEAL THE MONEY EVEN IF THEY NEVER KNOW HOW TO HIDE THEMSELVES.

> 1: IT'S A SERIES OF HARD QUESTIONGS. I DON'T KNOW. AND I HAVE A FEELING THAT YOU KNOW THE POLY MUCH BETTER THAN ME, WHY NOT ANSWERING IT FOR ME?

LOL FOR THIS

"

• Aug-19-2021 05:04:00 PM +UTC

From Community to MrWhiteHat

https://etherscan.io/tx/0x6640a2f9b9c876f6c2ed10a250c8a5e907b4b420d0f33da7ae0ac62b219bdfc4

Hello, Mr. White Hat Hacker. I am a Chinese whose assets are in your custody in this case. I just read about your experience and wanted to explain to you why you don't see much of the Chinese community. The reason is that the users in the Chinese community are basically in a spontaneous group chat of 500 people on wechat. In China, people prefer to communicate and voice in the form of a group rather than being used to speaking alone or expressing their own opinions. If you like, I can pull you into the wechat group and chat with everyone. Now everyone in the group calls you hacker teacher because they think you have taught us a lesson. In addition, my assets were frozen in this event and suffered a little loss. Could you please give me 0.1 ETH to make up for my loss?

• Aug-19-2021 07:40:50 PM +UTC

From Community to MrWhiteHat

https://etherscan.io/tx/0xeff05f021d6d8b1106148fde9b2fb0eb09226bf0af2691ebed771491416888df

Hey brother, I am a Chinese and I have 1 BTC and 40k+ USDC of token frozen in liquidity. I have read all of your msg on ETHEREUM. My English is poor, so If there are some inaccurate expressions, please forgive me.

I think poly team just freaked out because the amount of funds is huge. I was also freaked out at the beginning.

About what you said REFUGEES are gone, It’s because some people who join in just for fun and they are not the ones who have lost token. I have some group chat in tg all this time, but most people do not know how to send messages on chain.

Thank you for letting us understand some of the risks, we will treat defi more carefully going forward.

• Aug-19-2021 08:09:52 PM +UTC

From MrWhiteHat to Community

https://etherscan.io/tx/0xb2d8747fbd4778162551cda83e181e07ad414a901380befc271ac30e306fe260

IF THEY DON'T KNOW HOW TO SEND TRANSACTIONS, HOW COULD THEY EXPECT A BETTER LIFE THAN REFUGEES IN THIS DEFI WORLD?

• Aug-19-2021 08:40:56 PM +UTC)

From MrWhiteHat to Community

https://etherscan.io/tx/0xc60435e7af3e3b8ca1d3506c74665c18341adac398f6c7ed59f4e5b171382a96

THANKS FOR YOUR INFORMATION. I CAN NOT APPROVE YOUR REQUEST SINCE THERE IS NO HISTORY OF YOUR ACCOUNT INTERACTING WITH THE VULNERABLE CONTRACT.

I HAVE NEVER EXPECTED THE DIFFICULTIES IN COMMUNICATION WITH THE CHINESE COMMUNITY. NOW THE GUIDING THING MEANS LITTLE, IT'S NOT EVEN CLEAR IF THEY CAN UNDERSTAND MY EXPRESSIONS. THE COMPENSATION FUND IS ALSO MEANINGLESS, PLEASE STOP DONATING TO THE OTHER ADDRESS. I WILL TRANSFER THE DONATIONS AND THE FUNNY BOUNTY TO THE SHARED WALLET, THEN THEY CAN BE DISTRIBUTED TO THE VICTIMS FOR SURE. I THOUGHT I SHOULD AND COULD DOMINATE THE GAME EVEN IF THE POLY TEAM WAS PANICKED AND PASSED OUT. IT WAS MY MISTAKE. NOW THAT THEY HAVE RECOVERED FROM THE CRISIS, LET THE CHINESE TEAM HANDLE THE CHINESE BUSINESS.

• Aug-20-2021 02:06:32 AM +UTC

From Community to MrWhiteHat

https://etherscan.io/tx/0x7072a53abe9f8f7170c2290a1481150d2366d3927870aecc30bcc5b9d34bd589

Dear MR. white hat,Greetings from Chinese community, maybe I can explain something to you and hopefully can remove your doubts and relieve you a little bit.1.About the poly teamYes, as you wrote, it’s hard to evaluate the POLY team. Our Chinese defi projects usually have some common unspoken rules, when they build things, they will review the codes very carefully and invite audits company’s do the auditing multiple times to prevent potential attacks from outside, but they are always so confident they would leave super authorities for themselves, maybe convenient for upgrades and for security safety reasons, subjectively They preclude the possibility of themselves being the victimizer. So, you see the super owner account and you feel strange why it’s so centralized and still so many people willing to invest in it. Actually, it works for most of our Chinese. When we seek for defi projects, we would basically do the research of the background of this project other than read the codes because we are not capable of reading codes, some of us even don’t know how to send transaction. In your world, you only trust codes, but for us we are more inclined to trust people. Wow, this project is endorsed by so many famous institutions, then yolo!!!!LOL. I know we were idiots and really learned a lesson from you. 2.the attitude of polyon your position, you may think Poly tricked you to some extent and only pushed you for returning the assets, even bribed you. It is funny, but maybe its not true. What poly did at first piss off our Chinese community a lot, they didn’t get what your intention and more importantly poor communication skill caused the mistrust and misunderstands. About the locked USDT, they just own you an explanation, from what I know, it is not the process you think. “Frozen funds will be released back to the legitimate owner once there is confirmation / proof of proper actions taken in order to restore security of the bridges.” The CTO of Tether stated on his twitter. It is the normal process tether dealing with the frozen funds. I have to admit Their communication skills really suck, they didn’t even show up to comfort their users when this event occurred, just released some fixing updates with their cold words in the first few days. But in latest two letter they wrote to you, we can see the sincereness and gratitude, I don’t think it is a bribery or something to offer you the bounty. In our Chinese culture, when someone did something good for us, we usually would give him a red pocket to express gratitude, just a gesture of goodwill. LOL. In a word, poly incompetent and inefficient communications lead to all these misunderstandings and mistrusts which make you think they trick you.3. THE HUGE CROWD OF CHINESE REFUGEES ARE GONE! We are here!!!I left you a few messages before maybe you missed it. We have a WeChat group of 500 people named O3 SURVIVORS (PREVIOUS NAME O3 VICTIMS, LOL YOU SAVEd US, You built the NOAH’S ARK) . We talk about you every day, waiting for the todays’ little essay, it is a really unforgettable experience for us either. We were terrified at first, it’s like everything is gone, our lives’ been ruined. when we got to know your real intentions, we were really appreciating what you did for us. Most of us are poor in English, much more shitter English than you. LOL. And we wanted to leave space to you and poly team, scary of too many messages would occupy your time and make things more difficult. We are the jokers not you we bet our live savings to something we didn’t know without doing research.4.The assets recovery problemThey still just own you an explanation. You’ve urged them to start the refund process for several times, they did nothing but push you to return the remaining assets, our community were all annoyed at first. Then I contacted the o3 admin, he said, “one problem is that for cross chain pools we allow users to cash out in busd, usdt or husd even if they deposited something else so if not all funds are returned doing a partial return could result in people draining the pool and people who were slow can't withdraw”. And that would cause more problems and panic. There is no single asset which is full enough to be capable to be withdrawn. You returned the dai back yesterday, I think the USDC pool could be resumed soon. Hope we can see some progress in the following days. Poly team is really poor in communication skills.Hope you are doing well, our Chinese communities are all rooting for you. I’ve noticed you have transferred the bounty to the shared wallet as a compensation for us. We really appreciate for what you did for us. In my opinion, from my personal part I don’t deserve the compensation, all I need is a lesson. Fortunately, the lesson is free, just consume a little energy and emotions. Thank you very much. At least , you guided me, so the guiding part is not meaningless. ----from a fan from Chinese community

• Aug-20-2021 04:29:01 AM +UTC

From Community to MrWhiteHat

https://etherscan.io/tx/0x8c728a303dc82b32c9e2ae1e8c2ce4a055320839be12ace158f30314148b7708

Hello,Mr.White Hat,

I think these are the reasons why our Chinese refugees didnt show up in the message list:

most of us don't know how to send msg with a transaction.

some of us aren't good at English like me.

most of us aren't a technical guy and haven't deep understanding of crypto or decentralization.i think this part of us doesnt have much to say or maybe just "would u pls return the assets" or something like that.

But we did have put pressure on the team of poly and O3(build on poly,lost 300m+) in their wechat and tg groups.so at least poly was right about their users feelings.someone lose their temper and i am glad that those guys haven't send you msg :)

My personal views, i do think u have saved my ass from other greedy hacker,and poly should do things follow what you said.For poly team,they suck,i will withdraw all my assets after the cosschain function resume.but i still don't think they deserve a complete failure for their project.hope that they can do better after this event.

Have a nice day,

A Chinese refugee(not a real one,i know:))

• Aug-20-2021 02:09:55 PM +UTC

From MrWhiteHat to Community

https://etherscan.io/tx/0x5b96403a7c9350fe719746c525e8fd54b3cdb91ec889f4c4e910020fc5925594

TO CHINESE FRIENDS: THANKS FOR YOUR INFORMATION. AND I REALLY APPRECIATE THAT SOME OF YOU KEEP SILIENCE IN ORDER TO SAVE MY TIME. THAT IS REALLY IMPORTANT! IF I CAN NOT FINISH MY SUMMER PROJECT BY THIS WEEKEND, MY MOM WILL NOT TELL ME THE WIFI PASSWORD! NOW IT SEEMS THAT THE CHINESE COMMUNITY IS READY TO SEE THE HAPPY ENDING. PLEASE BE PATIENT, THE KEY WILL BE PUBLISHED IN NEXT WEEK FOR SURE.

• Aug-20-2021 03:48:37 PM +UTC

From Community to MrWhiteHat

https://etherscan.io/tx/0xdb4586c2c7d309ac1740c9dc9656233d91e5bf6cf880cff0886664cfe2e8224c

We hope to clarify with you the situation with regards to unlocking USDT assets. In order to ensure the transparency of information, we have compiled our actions related to USDT assets. We have been maintaining close communication with Tether and referring to their standard procedures, so it was not until last night that Tether let us know the final solution:

(Aug-10-2021 12:30 PM +UTC) Poly Network reports issue to Tether team

(Aug-10-2021 01:40 PM +UTC) Tether team freezes $USDT on 0xC8a65Fadf0e0dDAf421F28FEAb69Bf6E2E589963

(Aug-12-2021 02:20 PM +UTC) Poly Network starts discussing with Tether team the procedure for tokens reissuance

(Aug-12-2021 05:38 PM +UTC) Poly Network sends "we are discussing with tether team about the locked usdt." tx:0x6c4dbf770b84d97fef3a1088cfa92f1af724dabfdbd43839b82bc9bc80b7f1c4

(Aug-13-2021 04:30 PM +UTC) Tether provides formal instructions regarding how to recover USDt tokens

(Aug-19-2021 03:50 PM +UTC) Tether asks Poly Network to confirm that 0x71 multisig address is correct to return USDT to Poly Network

(Aug-19-2021 06:00 PM +UTC) Poly Network confirms the address and further coordinate with Tether remaining steps.

Thank you for assisting us in returning DAI assets. We will restore USDC assets as soon as possible and begin preparations for the restoration of wBTC and ETH assets.

Poly Network does not have own token, and it does not charge users or projects any fees. As an independent project, we have no budget apart from grants from establishing members. Maybe in the future we will have a bigger budget after fund raising, but currently this 160 ETH (500k USD) bounty is a considerable amount for our team. We did not want to make fun of anyone, we just wanted to build a good product. By giving the bounty we want to express our gratitude, because security has always been our top priority.

There were some misunderstandings in the last 10 days because a lot of things were happening. Hope we will have a more efficient communication and never lose synchronization in the future.

23-AUG-2021

• Aug-22-2021 11:06:57 PM +UTC

From MrWhiteHat to Community

https://etherscan.io/tx/0x9339943f2f9f425b1910d213d440b975b839e53e6b9a80ab0d82336dfa70db7c

Loganx2025: THANK YOU FOR COMPILING THE TRANSACTIONS! I HAVE NEVER EXPECTED THAT MY PRIVATE JOURNEY WOULD BE RECORDED IN THIS WAY.

• Aug-22-2021 11:40:48 PM +UTC

From MrWhiteHat to Community

https://etherscan.io/tx/0x3d48cd7ebd3c1cf5854bdfb78848f10ac77f75343ff3d7b6dc34ac7543603af4

TO MEDIA FRIENDS (@CoinDesk, @tomrobin AND OTHERS), THANK YOU FOR REFILLING THE POPCORNS EVERYDAY. PERSONALLY I DON'T THINK THERE ARE AS MANY AS TWISTS YOU WOULD IMAGINE, THOUGH READING THE MISINTERPRETATIONS IS FUN. I DON'T REALLY WANT THOSE MESSAGES TO BE EXAGGERATED SINCE I HAVE BEEN WORKING HARD ON REBUILDING THE TRUST AND CONFIDENCE IN A _TOUGH AND COMPLICATED_ WAY. I WOULD REALLY APPRECIATE IF YOU COULD CITE THE ONCHAIN RESPONSES FROM THE POLY TEAM INSTEAD OF FOCUSING ON MY VOICES ONLY. AND THEIR STATEMENT IS MUCH MORE POLITELY THAN MINE SINCE THEY DON'T WRITE IN ALL CAPITAL. HAPPY ENDING IS COMING. YOU MAY NOT HAVE CHANCE TO INTRODUCE MORE TWISTS, BUT YOU CAN ALWAYS FIND MORE FUNNY DETAILS IN THE STORY.