Skip to main content

Hackers stole hundreds of millions in digital assets from the obscure cryptocurrency platform Poly Network this week in a move crypto experts say shows the risky and experimental nature of an industry that is still nascent and largely unregulated.

In one of the biggest crypto thefts ever, US$600-million worth of digital assets were stolen from Poly Network, a decentralized finance – or “DeFi” – platform, on Tuesday, after hackers exploited a vulnerability that allowed them to divert the holdings out of it.

“This hacking event is an important lesson to the crypto market. It shows there are still a lot of vulnerabilities with new and unregulated parts of the crypto sector that users need to worry about,” said Justin Hartzman, co-founder and CEO of CoinSmart, a Toronto-based cryptocurrency exchange.

Unlike CoinSmart and other more well-known crypto companies such as San Francisco-based Coinbase and Binance, which was founded by Chinese entrepreneurs, Poly Network is not a crypto exchange – it does not facilitate the buying and selling of crypto tokens. Rather, decentralized finance platforms enable users to move digital currency from their own crypto wallets between blockchains. (A blockchain is essentially a digital ledger of transactions, and cryptocurrencies are built on them. Ethereum, for example, is a decentralized blockchain.)

Because a platform such as Poly Network merely enables users to send their own crypto tokens across different networks, and does not hold or store those tokens, any losses from a hack will be absorbed by the individual platform user.

DeFi technology has gained vast popularity and investor interest over the past few years, largely because it enables crypto-lending outside the confines of a traditional bank. For instance, someone who holds $1-million worth of bitcoin can either just store it on an exchange such as Coinbase, or use a DeFi platform to lend the bitcoin to other crypto users and earn interest of 10 per cent or more.

“If you have a bank account in Canada and you’re making 1 per cent on $100,000, you could be making 10 times that amount by placing your crypto on a DeFi platform. Beyond the interest earned, you’re seeing your crypto go up in value,” Mr. Hartzman explained.

Regulatory uncertainty can make trading stock tokens risky, experts say

Calgary fintech startup Tetra Trust becomes Canada’s first regulated custodian of crypto assets

DeFi proponents also say the technology can make lending and borrowing cheaper and more efficient, given that it eliminates middlemen and fees charged by them.

But the potential rewards of experimenting with new products within the crypto ecosystem come with significant risks, experts warn.

“There are so many projects under way in the DeFi world right now where obviously some times, there are platforms that do not take security very seriously because they are moving too fast,” said Boris Wertz, founder and partner at the Vancouver-based venture capital company Version One. The VC firm was an early investor in Coinbase, and doubled the value of one of its funds after Coinbase’s blockbuster stock market debut in April.

Mr. Wertz has been a crypto enthusiast for years, but even he expressed caution about engaging with certain DeFi platforms. “I think DeFi is a great financial innovation in the world of crypto and I do think it has potential, it’s just that it is early days and we don’t have much information yet about the risks,” Mr. Wertz told The Globe.

Brian Mosoff, CEO of Ether Capital , a Toronto crypto company that owns and invests in Ether, said one reason Poly Network may have been targeted by a hacker was because it is a very new platform – few developers and programmers have had a chance to analyze it and fix vulnerabilities.

“There were not enough people to battle-test the code. With Ethereum, it’s been around for a long time, there are a lot of developers fixing bugs. With newer DeFi networks, you’re really entering the Wild West,” Mr. Mosoff said.

In a peculiar turn of events, however, the hackers responsible for the Poly Network breach began giving back some of the digital money they stole, reportedly returning US$260-million worth of cryptocurrencies to the platform, according to a blog post from Chainalysis, a Japanese blockchain forensics company governments and corporations often use to track crypto hacks.

Chainalysis’s Twitter account also posted screenshots from an apparent online conversation between Poly Network and a hacker, in which the hacker claimed to have carried out the heist to “expose the vulnerability” before any other so-called “black hat” hackers took advantage of the system flaw.

Global securities regulators have increasingly shifted their attention to unregulated crypto platforms as a growing number of investors pour their money into cryptocurrencies. The Ontario Securities Commission recently barred Binance from operating in Ontario because it had failed to register with the OSC to begin the process of becoming regulated.

In response to a Globe query about whether the OSC has guidelines on how DeFi platforms are regulated in Canada, spokesperson Crystal Jongeward said that the Poly Network hack highlights “significant investor protection risks posed by unregistered crypto asset trading platforms.”

But Poly Network is not a crypto trading platform, and in Canada, existing rules appear only to be directed at crypto exchanges and other trading venues, not DeFi platforms.

“Of course the question everyone is asking is: How do we regulate these kinds of platforms? Regulation is definitely coming, but you have to remember that the technology is moving at a mile a minute and it is tough for regulators to keep up. Ultimately, they will have to hold DeFi platforms to a higher security standard,” said Andrew Kiguel, founder and CEO of Vancouver-based crypto company

Poly Network did not immediately respond to The Globe’s request for comment. The company discloses little about itself on its website – not even its whereabouts. Some media reports have suggested the company is based in China.

Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.