Poly Network 被攻击事件中来自黑客的 25 段对话

交易 hash：
https://eth.tokenview.com/cn/tx/0x87715ad26621431c2c27f44d9214798e0c81a97d938ba5d4580dcd72f07ec6a8

  原文： DONATE TO 0xA87fB85A93Ca072Cd4e5F0D4f178Bc831Df8a00B IF YOU SUPPORT MY DECISION ENCRYPT YOUR MSG WITH HIS PUBKEY IF YOU WANT TO TALK

  翻译： 如果你支持我的决定就捐给 0xA87fB85A93Ca072Cd4e5F0D4f178Bc831Df8a00B。想通过链上讨论的话记得用他的PUBKEY加密讨论内容。

交易 hash：
https://eth.tokenview.com/cn/tx/0xa7cd9cb0211942998602e22ad6f7fd7d9c1eef9515f4e4154a76237d5fd71aa3

  原文： DUMPING SHITCOINS FIRST! HOW ABOUT UNLOCKING MY USDT AFTER RETURNING ENOUGH USDC?

   翻译： 先抛了SHITCOINS！退还USDC解锁USDT？

交易 hash：
https://eth.tokenview.com/cn/tx/0x3de5a4eb6c1953ce2d0422bc5d0d16b2d9e54316cf0784bb793b3c67f09387b7

  原文： JUST DUMPED ALL ASSETS ON BSC & POLYGON. HACKING FOR GOOD, I DID SAVE THE PROJECT

  翻译： 刚刚在BSC和Polygon上抛售了所有资产。一直黑下去，我拯救了这个项目。

交易 hash：
https://eth.tokenview.com/cn/tx/0x1fb7d1054df46c9734be76ccc14fa871b6729e33b98f9a3429670d27ec692bc0

  原文： Q & A, PART ONE: Q: WHY HACKING? A: FOR FUN Q: WHY POLY NETWORK? A: CROSS CHAIN HACKING IS HOT Q: WHY TRANSFERING TOKENS? A: TO KEEP IT SAFE. WHEN SPOTTING THE BUG, I HAD A MIXED FEELING. ASK YOURSELF WHAT TO DO HAD YOU FACING SO MUCH FORTUNE. ASKING THE PROJECT TEAM POLITELY SO THAT THEY CAN FIX IT? ANYONE COULD BE THE TRAITOR GIVEN ONE BILLION! I CAN TRUST NOBODY! THE ONLY SOLUTION I CAN COME UP WITH IS SAVING IT IN A _TRUSTED_ ACCOUNT WHILE KEEPING MYSELF _ANONYMOUS_ AND _SAFE_. NOW EVERYONE SMELLS A SENSE OF CONSPIRACY. INSIDER? NOT ME, BUT WHO KNOWS? I TAKE THE RESPOSIBILITY TO EXPOSE THE VULNERABILITY BEFORE ANY INSIDERS HIDING AND EXPLOITING IT! Q: WHY SO SOPHISTICATED? A: THE POLY NETWORK IS DECENT SYSTEM. IT'S ONE OF THE MOST CHALLENGING ATTACKS THAT A HACKER CAN ENJOY. AND I HAD TO BE QUICK TO BEAT ANY INSIDERS OR HACKERS, I TOOK IT AS A BONUS CHALL Q: ARE YOU EXPOSED? A: NO. NEVER. I UNDERSTOOD THE RISK OF EXPOSING MYSELF EVEN IF I DON'T DO EVIL. SO I USED TEMPORARY EMAIL, IP OR _SO CALLED_ FINGERPRINT, WHICH WERE UNTRACABLE. I PREFER TO STAY IN THE DARK AND SAVE THE WORLD.

  翻译： 

问与答，第一部分：

问：为什么要黑？

答：好玩：)

问：为什么是Poly？

答：跨链黑，时髦

问：为什么要转移Token？

答：为了保证它的安全。

当我发现漏洞的时候，我有一种复杂的感觉。我问自己，如果面对这么多财富该怎么办？礼貌地询问项目团队以便他们可以修复它？10亿美元足以让任何人背叛！是啊，无人可信！我能想到的唯一解决方案就是将它保存在一个值得信任的账户中，同时保持我自己的匿名和安全。

现在每个人都嗅到了一场阴谋。是内部人干的？在任何内部人士发现这个漏洞之前，我承认是我干的！

问：难吗？

答：Poly Network是一个不错的系统。这是黑客能享受到的最具挑战性的攻击之一。我必须迅速击败任何内部人士或黑客，我认为这是一个不错的挑战：)

问：你暴露了吗？

答：没有。绝不可能。即使我不作恶，我也明白暴露自己的风险。所以我使用了临时电子邮件，IP或所谓的指纹，它们都是不可追溯的。我宁愿呆在黑暗中拯救世界。

交易 hash：
https://eth.tokenview.com/cn/tx/0xd4ee4807c07702a3202f45666983855d7fa22eb1c230e4c1e840fc9389e54729

  原文： Q & A, PART TWO: Q: WHAT REALLY HAPPENED 30 HOURS AGO? A: LONG STORY. BELIEVE IT OR NOT, I WAS _FORCED_ TO PLAY THE GAME. THE POLY NETWORK IS A SOPHISTICATED SYSTEM, I DIDN'T MANAGE TO BUILD A LOCAL TESTING ENVIRONMENT. I FAILED TO PRODUCE A POC AT THE BEGINNING. HOWEVER, THE AHA MOMEMNT CAME JUST BEFORE I WAS TO GIVE UP. AFTER DEBUGGING ALL NIGHT, I CRAFTED A _SINGLE_ MESSAGE TO THE ONTOLOGY NETWORK. I WAS PLANNING TO LAUNCH A COOL BLITZKRIEG TO TAKE OVER THE FOUR NETWORK: ETH, BSC, POLYGON & HECO. HOWEVER THE HECO NETWORK GOES WRONG! THE RELAYER DOES NOT BEHAVE LIKE THE OTHERS, A KEEPER JUST RELAYED MY EXPLOIT DIRECTLY, AND THE KEY WAS UPDATED TO SOME WRONG PARAMETERS. IT RUINED MY PLAN. I SHOULD HAVE STOPPED AT THAT MOMENT, BUT I DECIDED TO LET THE SHOW GO ON! WHAT IF THEY PATCH THE BUG SECRETLY WITHOUT ANY NOTIFICATION? HOWEVER, I DIDN'T WANT TO CAUSE _REAL_ PANIC OF THE CRYPTO WORLD. SO I CHOSE TO IGNORE SHIT COINS, SO PEOPLE DIDN'T HAVE TO WORRY ABOUT THEM GOING TO ZERO. I TOOK IMPORTANT TOKENS (EXCEPT FOR SHIB) AND DIDN'T SELL ANY OF THEM. Q: THEN WHY SELLING/SWAPPING THE STABLES? A: I WAS PISSED BY THE POLY TEAM FOR THEIR INITIAL REPONSE. THEY URGED OTHERS TO BLAME & HATE ME BEFORE I HAD ANY CHANCE TO REPLY! OF COURSE I KNEW THERE ARE FAKE DEFI COINS, BUT I DIDN'T TAKE IT SERIOUSLY SINCE I HAD NO PLAN LAUNDERING THEM. IN THE MEANWHILE, DEPOSITING THE STABLES COULD EARN SOME INTEREST TO COVER POTENTIAL COST SO THAT I HAVE MORE TIME TO NEGOTIATE WITH THE POLY TEAM.

  翻译： 

问与答，第二部分：

问：30小时前到底发生了什么？

答：说来话长。信不信由你，我是被迫玩这个游戏的。

Poly Network是一个复杂的系统，我没有设法建立一个本地测试环境。一开始我没能拿到解码程序。然而，就在准备放弃的时候，我来了灵光一闪。经过整晚的调试，我向本体网络定制了A_SINGLE_MESSAGE。我计划发起一场很酷的闪电战，接管ETH、BSC、Polygon和HECO这四个网络。然而，HECO网络出了问题！中继者的表现和其他网络不一样，中继者直接发现了我的行为，钥匙被更新成了一些错误的参数。它毁了我的计划。我应该在那一刻停下来，但是我决定让节目继续下去！如果他们在没有任何通知的情况下秘密修补漏洞怎么办？然而，我不想引起密码界真正的恐慌。所以我选择忽略这些币，这样人们就不必担心它们会变成零。我拿了重要的代币(除了Shib)，一个都没卖。

问：那为什么要卖出/兑换稳定币？

答：Poly Network最初的反应让我很生气。他们在我还没来得及回复之前就号召别人责怪我、恨我！我当然知道有假DEFI币这一说，但我没有把它当回事，因为我没有清洗它们的计划。与此同时，存稳定币可以赚取一些利息，以弥补潜在的成本，这样我就有更多的时间与Poly Network谈判。

交易 hash：
https://eth.tokenview.com/cn/tx/0xe954bed9abc08c20b8e4241c5a9e69ed212759152dd588bb976b47eca353a5bc

  原文： Q & A, PART THREE: Q: WHY TIPPING 13.37? A: I FEELED THE WARMTH FROM THE ETHEREUM COMMUNITY. I WAS BUSY INVESTIGATING ISSUES FROM HECO AND DEBUGGING MY SCRIPTS. I THOUGHT IT WERE NETWORKING ISSUES WHY I COULD NOT DEPOSIT (I WAS BEHIND A SOPHISTICATED PROXY). SO I SHARED MY GOODWILL THE GUY. Q: WHY ASKING TORNADO AND DAO? A: HAVING WITNESSED SO MANY HACKINGS, I KNEW DEPOSITING INTO TORNADO IS A WISE BUT DESPERATE DECISION. IT WAS AGAINST MY ORIGINAL INTENTION. BEING THE CROWDSOURCED HACKER WAS JUST MY BAD JOKE AFTER MEETING SO MANY BEGGARS Q: WHY RETURNING? A: THAT'S ALWAYS THE PLAN! I AM _NOT_ VERY INTERESTED IN MONEY!I KNOW IT HURTS WHEN PEOPLE ARE ATTACKED, BUT SHOULDN'T THEY LEARN SOMETHING FROM THOSE HACKS? I ANNOUNCED THE RETURNING DECISION BEFORE MIDNIGHT SO PEOPLE WHO HAD FAITH IN ME SHOULD HAD A GOOD REST Q: WHY RETURNING SLOWLY? A: I DO NEED TIME TO TALK WITH THE POLY TEAM. SORRY, IT'S THE ONLY WAY I KNOW TO PROVE MY DIGNITY WHILE HIDING MYSELF IDENTITY. AND I NEED SOME REST. Q: THE POLY TEAM? A: I ALREADY STARTED TALKING WITH THEM BRIEFLY, THE LOGS ARE ON THE ETHEREUM. I MAY OR MAY NOT PUBLISH THEM. THE PAINS THEY HAVE SUFFERED IS TEMPORARY BUT MEMORABLE. I WOULD LIKE TO GIVE THEM TIPS ON HOW TO SECURE THEIR NETWORKS,SO THAT THEY CAN BE ELIGIBLE TO MANAGE THE BILLION PROJECT IN THE FUTURE. THE POLY NETWORK IS A WELL DESIGNED SYSTEM AND IT WILL HANDLE MORE ASSETS. THEY HAVE GOT A LOT OF NEW FOLLOWERS ON TWITTER, RIGHT?

  翻译： 

问与答，第三部分：

问：为什么是13.37？

答：我感受到了以太社区的温暖。我正忙着调查HECO的问题并调试我的脚本。我认为这是网络问题，为什么我不能存钱(我是一个复杂Proxy的幕后黑手)。所以我和他分享了我的善意。

问：为什么问TORNADO和DAO？

答：在目睹了这么多黑客攻击事件后，我知道陷入龙卷风是一个明智但绝望的决定。这违背了我的初衷。在遇到这么多贫穷的家伙后，成为他们中的一员只是我开的一个糟糕的玩笑：)

问：为什么要返还？

答：这一直都是我们的计划！我对钱不是很感兴趣！我知道当人们受到攻击时会很痛苦，但是他们难道不应该从那些攻击中学到点什么吗？我在午夜之前宣布了返还的决定，所以相信我，先好好休息一下；)

问：为什么返还很慢？

答：我确实需要时间和Poly Network谈谈。抱歉，这是我唯一知道的证明自己尊严同时隐藏身份的方法。我需要休息一下。

问：Poly Network怎么说？

答：我已经和他们简短地谈过了，日志都在以太坊网络上记录了。我可能会也可能不会发表他们。他们遭受的痛苦是暂时的，但令人难忘。我想给他们一些关于如何保护他们的网络的小贴士，这样他们就可以有资格在未来管理这个10亿美元的项目。

Poly Network是一个设计良好的系统，它将处理更多的资产。他们在推特上有很多新粉丝，对吧？

交易 hash：
https://eth.tokenview.com/cn/tx/0xe926ef4b6f4e3ff1b680df02a6a2456cd9b415d25f051bb894ea3e24cfa864f0

  原文： I DON'T USE EMAIL. FUCK [email protected] & [email protected]

  翻译： 我不用电子邮件。去他妈的[email protected]&Quot；[email protected]

交易 hash：
https://eth.tokenview.com/cn/tx/0xa5371eda3e56a614cdecc2b875f4236c7651e8ab3822f798b108e14b2659aaaa

  原文： DISCLAIMER: I HAVE NEVER ASKED FOR BOUNTY FROM POLY NETWORK WHAT I HAVE SAID IS ON THE CHAINS

  翻译： 免责声明：我从来没有要求过Poly Network的赏金，我所说的都记录在链上了。

交易 hash：
https://eth.tokenview.com/cn/tx/0xde330cbd5484e9ce808c60d3a76739f224eb8390b6b891a8e4d29dbdaeab826d

  原文： Q & A, PART FOUR: Q: WHY CEX? NOOB? A: WHATEVER THE KEY CHALLENGE OF THIS HACK IS TO INVOKE SOME CONTRACT FROM THE ONTOLOGY NETWORK (MY FAVOURITE PART). YOU HAVE TO GET SOME 'GAS' FOR THE ONTOLOGY NETWORK, WHICH IS CALLED 'ONG'. HOWEVER, IT'S NOT A DEFI TRADABLE TOKEN. I CAN ONLY FIND IT ON SOME CHINESE(?) CEXES. WHY BOTHER TRADING FROM DEX IF YOU HAVE TO GO THROUGH CEX? WHY DO YOU THINK I MAY LEAVE TRACES IN THE DEXES? Q: WHY REFUND? COWARD? A: WHATEVER WHEN YOU JUDGE OTHERS, YOU DO NOT DEFINE THEM, YOU DEFINE YOURSELF. I ALREADY ENJOYED WHAT I CARED MOST: HACKING & GUIDING. FEW HACKERS CAN UNDERSTAND THE SITUATION OF DEFI SECURITY. YES, YOU SEE A LOT OF HACKS, BUT MOST OF THEM ARE NOT ENJOYABLE AS A REAL HACKER. SOME STUPID CODE LEADS TO HUGE AMOUNT OF LOSS, BUT IT'S NOT CHALLENGING. IT'S LIKE FIGHTING AGAINST A TEENAGER. I WOULD ADMIT THAT THE POLY HACK IS NOT AS FANCY AS YOU IMAGINE, BUT I DID EXPERIENCED SOMETHING NEW FROM THE PROJECT. I WOULD SAY FIGUING OUT THE BLIND SPOT IN THE ARCHTECTURE OF POLY NETWORK WOULD BE ONE OF THE BEST MOMENTS IN MY LIFE. I HAVE GOT ENOUGH MONEY AS THE GROWTH OF THE CRYPTO WORLD. I HAVE BEEN EXPLORING THE MEANING OF LIFE FOR A WHILE. I HOPE MY LIFE CAN BE COMPOSED OF UNIQUE ADVENTURES, SO I LIKE LEARN & HACK EVERYTHING IN ORDER TO FIGHT AGAINST THE FATE. SEIN ZUM TODE. TO BE HONEST, I DID HAVE SOME SELFISH MOTIVES TO DO SOMETHING COOL BUT NOT HARMFUL BY LEVERAGING THE HUGE FUND, LIKE THE DAO IDEA. THEN I REALIZED BEING THE MORAL LEADER WOULD BE THE COOLEST HACK I COULD EVER ARCHIVE! CHEERS!

  翻译： 

问与答，第四部分：

问：为什么选择中心化交易所？菜鸟？

答：菜鸟？无所谓啦：)

这次黑客攻击的关键挑战是从本体网络(我最喜欢的部分)调用一些合约代码。你必须在本体上给钱包得到一些“气”，这就是所谓的“ONG”。不过这不是DEFI平台上可交易的代币。我只能在中国的中心化交易所找到它。有了中心化交易所，为什么要费心在去中心化交易平台交易呢？为什么你认为我会在去中心化平台留下痕迹？

问：为什么要退款？胆小鬼?

答：胆小鬼？无所谓啦：)

当你评判别人时，你不是在定义他们，而是在定义你自己。我已经享受了我最关心的事情：黑客和引导。

很少有黑客能理解DEFI安全的情况。是的，你会看到很多黑客，但作为一个真正的黑客，它们中的大多数都不是令人愉快的。一些愚蠢的代码会导致巨大的损失，但这并不具有挑战性。就像和一个青少年打架一样。我承认Poly黑客并不像你想象的那样花哨，但我确实从这个项目中体验到了一些新的东西。我想说，打破Poly网络弧形结构的盲点将是我一生中最美好的时刻之一。

随着密码世界的发展，我已经有足够多的钱。我探索生命的意义已经有一段时间了。我希望我的生活可以由独特的冒险组成，所以我喜欢学习和破解一切，以便与命运作斗争。向死而生(Sein Zum Tode)。老实说，我确实有一些自私的动机，想通过利用巨额资金做一些酷而无害的事情，比如DAO的想法。然后我意识到，成为道德领袖将是我最酷的事情！

干杯!

交易 hash：
https://eth.tokenview.com/cn/tx/0xd2750ac3aad70c0a73fd4cd5aa854770f3253026526ab3cdc88fd561b8ccd5a0

  原文： THE _POLYGON_ NETWORK IS SO UNRELIABLE FOR MANY TIMES I THOUGHT I HAD SENT THE TRANSACTION BUT IT VANISHED. LOL

  翻译： Poly网络太不可靠了，我已经发了多次交易，但都消失了。哈哈哈哈

交易 hash：
https://eth.tokenview.com/cn/tx/0x078063e9574e1937a64b6552919b9fc0035429df1e601d79e200bf211e75f337

  原文： GUYS, ASK YOURSELF, IS THE POLY TEAM THE OWNER OF THE ASSETS? THEY ARE JUST THE MANAGER OF THE FUND! WILL YOU TEACH THEM HOW TO TRIGGER THEIR 'BACKDOOR'? IN THE DEFI WORLD, YOU CAN TRUST NOBODY BUT THE CODE AND YOUSELF. TO THE 'VICTIMS': I DON'T MEAN THE POLY TEAM IS NOT TRUSTWORTHY, BUT NONE OF YOU HAVE THE CHANCE TO CHALLENGE THEIR CODE WHICH SHOULD BE THE LAW. DON'T WORRY, YOU ARE NOT REAL VICTIMES. I SAVED YOU!

  翻译： 伙计们，问问你自己，Poly 团队是这些资产的所有者吗？他们只是基金的经理！你会教他们如何触发他们的“后门”吗？在DEFI的世界里，你不能相信任何人，除了代码和你自己。

致“受害者”：我并不是说Poly团队不值得信任，但你们中没有人有机会挑战他们的代码，而代码应该是法律。

别担心，你不是真正的受害者。我救了你！

交易 hash：
https://eth.tokenview.com/cn/tx/0x05ddbcc01736dfe478526b33837f54ccf4f0e1e8abf06276d0a3fb18b8751ea9

HELLO BEGGARS, WHY NOT ASKING MONEY FROM THE POLY MULTISIG WALLET? 0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f

  翻译： 大家好，去向Poly的多签钱包要钱吧！0x71Fb9dB587F6d47Ac8192Cd76110E05B8fd2142f

交易 hash：
https://eth.tokenview.com/cn/tx/0x9dedb07cb1dc30e176b78be45c37787ce8f1b0ecc96228d82c451cc52e074154

  原文： TO SUPPORTERS: DO NOT DONATE TO THIS ADDRESS. IT'S MIXING WITH THE POLY TOKENS. PLEASE SEND IT TO 0xA87fB85A93Ca072Cd4e5F0D4f178Bc831Df8a00B

  翻译： 致支持者：不要向这个地址捐款。它和Poly代币混在一起了。请将其发送到 0xA87fB85A93Ca072Cd4e5F0D4f178Bc831Df8a00B

交易 hash：
https://eth.tokenview.com/cn/tx/0x0e26a5b2c59ce2da821a353cea99720014e3d13ddc4f84af6ba01dd714c62d8d

  原文： THE POLY HAS WELL ENOUGH ASSETS TO START THE RECOVERING PHASE. I HAVE ASKED THE POLY TO SETUP A NEW MULTISIG WALLET. I CAN MOVE THE FUNDS ASAP. I WILL PROVIDE THE FINAL KEY WHEN _EVERYONE_ IS READY.

  翻译： Poly 已有足够的资金开始复苏。我已经要求 Poly 设立一个新的多签钱包。我可以尽快转移资金。当每个人都准备好时，我将提供最终密钥。

交易 hash：
https://eth.tokenview.com/cn/tx/0xc02baa06d4e446c725aeda4878ea2f7a3ecf770f73dcfb330b6bae7fedf48013

  原文： TO DEFI NOOBS: MY INITIAL ATTEMPT WAS DEPOSITING THE STABLES FOR INTERESTS, ITS BENIGN AND SAFE. I DIDNT EVEN WANT TO CAUSE IMBALANCE OF THE STABLE POOLS BY SWAPPING. MY PLAN WAS HOLDING 3CRV UNTIL I REALIZED WITHDRAWING INTO USDC WOULD BE STUPID, THEN I HAD NO CHOICE BUT TO CONVERT THEM INTO DAI. ITS CLEARLY TRACABLE, WHY IS IT LAUNDERING?

  翻译： 致DEFI 菜鸟们：我最初的尝试是拿稳定币获取利息，这是良性和安全的。我甚至不想因为兑换而造成稳定池的不平衡。我的计划是持有3CRV，直到我意识到取出USDC是愚蠢的，然后我别无选择，只能把他们变成DAI。很明显是可追踪的，我不会洗币的。

交易 hash：
https://eth.tokenview.com/cn/tx/0x5fbd4fe7e3d36b75e8f8f05a1e003e9e4d254bfe8242e33af166eecc2f29d839

  原文： TO DEFI NOOBS: WHY DO YOU THINK I HAVE NO WAY TO TRANSFER THE MONEY? BECAUSE ITS TOO MUCH? TORNADO IS POWERFUL ENOUGH, I COULD JUST TRANSFER 100ETH EVERY MONTH, HOW WOULD YOU IDENTIFY THE CASH FLOW? I TEASED THE CROWD, BUT I NEVER TRIED

  翻译： 致DEFI 菜鸟们：为什么你认为我没有办法转账？因为太多了吗？龙卷风的威力足够大，我每个月只能转账100ETH，你能识别那里的资金流吗？我招惹你们了吗，但我可从来不曾。

交易 hash：
https://eth.tokenview.com/cn/tx/0xc0d284617a1805dafddf8e8d71d10acbdec8e2ed679c66ea97c7f928e97f7605

  原文： TO CRYPTO NOOBS: IN THE DEFI WORLD, CODE IS LAW. THEN WHO IS THE ARBITRATOR? WE, THE HACKERS, ARE THE ARMED FORCES. IF YOU ARE GIVEN WEAPONS AND GUARDING BILLIONS FROM THE CROWD WHILE BEING _ANONYMOUS_, WILL YOU BE A TERRORIST OR THE BATMAN?

  翻译： 致搞安全的菜鸟们：在DEFI的世界里，代码就是法律。那谁是仲裁呢？我们，黑客，武装部队。如果你在匿名的情况下得到武器，并在人群中守卫着数十亿美元，你会成为恐怖分子还是蝙蝠侠？

交易 hash：
https://eth.tokenview.com/cn/tx/0xd73daf995a2aab071560f14555beca73b6dce9c3cac01085e2c372d29e012c66

  原文： TO SECURITY NOOBS: NO SYSTEM IS PERFECT. I DONT THINK YOU SHOULD BLAME THE POLY TEAM OR THEIR AUDITORS. FROM MY EXPERIENCE, IT'S NOT TRIVIAL FOR A SINGLE ENTITY TO UNDERSTAND THE WHOLE LOGIC OF THE POLY NETWORK SYSTEM, IT'S EVEN HARDER TO FIGURE OUT THE SUBTLE BUG. WHAT I EXPECT YOU TO KNOW IS THAT DO NOT BET YOUR WHOLE LIFE ON SOMETHING YOU MAY NEVER UNDERSTAND!

  翻译： 致搞安全的菜鸟们：没有一个系统是完美的。我认为你不应该责怪Poly团队或他们的审计师。根据我的经验，要理解保利网络系统的整个逻辑并不是一件小事，要弄清楚这个微妙的错误就更难了。我希望你知道的是，不要把你的一生都押在你可能永远不会明白的事情上！

交易 hash：
https://eth.tokenview.com/cn/tx/0x6eeeb4ea8566707b3e9a18934ab0258ddcd474faa91d5e8f2bf74a20171feb1b

  原文： TO SECURITY NOOBS: CEX OR DEX, WHICH ONE IS SAFER? IT DPENDS ON WHETHER YOU KNOW HOW TO PROTECT YOURSELF. IN MY CASE, THE TOTAL COST IS HUNDERDS OF USD. NO KYC. EVERYTHING IN THE DEX IS TEMPORARY. I WOULD CALL IT _THE BAIT_.

  翻译： 致搞安全的菜鸟们：中心化和去中心化，哪个更安全？这取决于你是否知道如何保护自己。就我而言，总成本是几百USD，无KYC。中心化交易所里的一切都是暂时的。我会称它为诱饵。

交易 hash：
https://eth.tokenview.com/cn/tx/0xbd66349e77b8d4e493e3a13ae146557a72e8585650b6ec3a71c402c66e2d3882

  原文： TX：0x98b6316d3004be81c5d1b06c27472bef8097c9c922345876cd36111495ccf32a

DECRYPTED: 'We appreciate you sharing your experience and believe your action constitutes white hat behavior. But we can't touch user assets and Poly Network doesn't have its own token. Since , we believe your action is white hat behavior, we plan to offer you a $500,000 bug bounty after you complete the refund fully. Also we assure you that you will not be accountable for this incident. We hope that you can return all tokens as soon as possible. You can reserve the equivalent value of 500,000 USD in any assets to the current owner address. We will make up this part of the assets to Poly Network users. Your contribution is very helpful to us. Again, we think this behavior is white hat behavior, therefor this 500,000 USD will be seen as completely legal bounty reward. We will also ensure that you will not be held accountable for this incident, and we will publicly express our gratitude to you.'

  翻译： TX：0x98b6316d3004be81c5d1b06c27472bef8097c9c922345876cd36111495ccf32a

称：“我们非常感谢您分享您的经历，并相信您的行为构成了白帽行为。”但我们不能触及用户资产，Poly网络也没有自己的token。由于我们认为您的行为是白帽行为，我们计划在您完成全额退款后向您提供50万美元的漏洞赏金。另外，我们向您保证，您不会对这一事件负责。我们希望您能尽快退还所有代币。您可以将任何资产中的等值500,000美元保留到当前所有者地址。我们将向Poly网络的用户补充这部分资产。你的贡献对我们很有帮助。同样，我们认为这一行为是白帽行为，因此这50万美元将被视为完全合法的赏金。我们还将确保您不会为这一事件承担责任，我们将公开向您表示感谢。

交易 hash：
https://eth.tokenview.com/cn/tx/0x5a17cb912b9a0a1bf12a1ced9a8d108ce7c1de3355df7826d47dc13ba44fadce

  原文： TX：0x05f90618be1e7f64230618476912dccb0091f6eb011dd983f4ac7239e846d422

DECRYPTED: 'We've had a fix. It had been cross-checked internally and reviewed by a well known security audit team.The multi-sig address we provided is safe, please send the remainings to that address. We will send you the 500k bounty when the remainings are returned except the frozen USDT.'

  翻译： TX：0x05f90618be1e7f64230618476912dccb0091f6eb011dd983f4ac7239e846d422

称：“我们已经解决了问题。我们内部进行了交叉检查，并由知名的安全审计团队进行了审查。我们提供的多重签名地址是安全的，请将剩余部分发送到该地址。当除了冻结的USDT之外的剩余部分归还时，我们将向您发送50万赏金。”

交易 hash：
https://eth.tokenview.com/cn/tx/0x962d0df8f580051bb53e4fa2a2570073a0cd4c5c719c1936e707101e735ceee1

  原文： THE POLY DID OFFERED A BOUNTY, BUT I HAVE NEVER RESPONDED TO THEM. INSTEAD, I WILL SEND ALL OF THEIR MONEY BACK.

  翻译： Poly确实提供了一笔赏金，但我从来没有回应过他们。取而代之的是，我会把他们所有的钱都寄回去。

交易 hash：
https://eth.tokenview.com/cn/tx/0xdeb4d7ddc2e921e999214e78879ae5afb6f7c268d6643b19d20ca64c398de7ca

  原文： NOW COMES THE LAST TOKEN, ETH! HOWEVER, I AM TERRIFIED FOR THE FIRST TIME! THEY ARE CALLING ME MR. 600 MILLION, BUT THE PRICE OF ETH IS GOING DOWN RECENTLY, WHAT IF MY BALANCE CAN NOT COVER THE DEBT? ETH TO THE MOON PLZ!

  翻译： 现在是最后一个Token了，ETH！然而，我被吓坏了！他们叫我6亿先生，但是最近ETH的价格在下降，如果我的余额不能偿还债务怎么办？ETH，请到月球上去吧！

交易 hash：
https://eth.tokenview.com/cn/tx/0xf34ee3551be7be57df6643d4ec7e4bdf9fd047d925c3c32a74e64e7428e5f8a9

  原文： Q & A, PART FIVE: Q: WHY AMA? YOUR CONFESSION? A: IT'S MORE LIKE A DIARY. SOMETHING I AM PROUD OF. Q: WHY ALL CAPITAL? A: AS I SAID, I DON'T CARE ABOUT MONEY OR CAPITAL. Q: GARBAGE ENGLISH? A: NOT NATIVE SPEAKER. (LEAKING IDENTITY 1) I JUST EXPRESSED MY TRUE FEELINGS WITHOUT POLISHING. TYPING WHILE HOLDING THE 'SHIFT' IS NOT EASY. Q: BLACK HAT OR WHITE HAT? A: I ALSO ENJOY THE FEELING OF SUPERIORITY BY JUDGING OTHERS, BUT IT'S NEVER EASY. NOT ONLY LAWFUL GOOD CAN BE THE WHITE HAT. SO CALLED BLACK HAT CAN ALSO BE A NICE GUY. PEOPLE ARE VARIABLE. HAVE YOU HEARD OF GRAYSCALE? Q: SHOULDN'T A WHITE HAT JUST NOTIFY THE DEVS? A: READ P1Q1234. DEFI IS A DARK FOREST, HUNDREDS OF PROJECTS RAN AWAY EVERY YEAR. I DONT TRUST ANYONE. Q: WHY HIDING AT THE BEGINNING? A: YOU MIGHT BE IN DANGER FOR ANY REASON EVEN IF YOU ARE LAWFUL GOOD. SECURITY GUYS DO CARE ABOUT SECURITY. Q: WHY EXPLAIN SO MUCH? A: READ P4Q2. THE GUIDING PART MEANS A LOT TO ME. I WOULD LIKE TO SHARE HOW I PWNED MY MIND TO OVERCOME THE ARROGANT AND GREED. I THINK THE MENTAL CHALLENGE IS NOT EASIER THAN THE HACKING PART. TO BE HONEST, I WAS SO EXCITED WHEN THE EXPOLIT WORKED THAT I ALMOST FORGOT MY ORIGINAL PLAN, BECAUSE THERE WAS TOO MUCH GUESSING AND IT'S UNEXPECTED (SEE P2Q1). THE FIRST MESSAGE(SEE P3Q1) SPARKED MY INTEREST IN DOING SOME CREATIVE THINGS. I SPENT SOME TIME LOOKING FOR FUNNY BUT RATIONAL IDEAS FROM MY MESSAGE LIST. I AM (STILL) STRONGLY CONFIDENT ABOUT MY HIDING, SO I THINK I CAN HANDLE THE GAME AS LONG AS I DONT CAUSE UNAFFORDABLE LOSS. LATER I STARTED TO CALM DOWN BECAUSE OF THOSE REFUGEES. YES, I REALIZED THAT EVEN TAKING OVER THE MONEY TEMPORARILY IS STILL AN UNFORGIVEN JOKE, IT'S CAUSING TOO MUCH PAIN. FOR THE 'ONE BILLION SHITCOIN' JOKE, I MEANT THE HEADLINE OF THIS INCIDENT COULD BE MORE EYECATCHING, BUT THE ENDING WOULD BE THE SAME: I WOULD NOT DUMP THE SHITCOINS. IT TURNED OUT TO BE A TERRIBLE JOKE. FOR THE 'DAO' JOKE, I WAS ASKING THE COMMUNITY HOW AND WHEN TO REFUND. IT WAS A IRRESPONSIBLE JOKE. I WAS NOT TERRIFIED BECAUSE OF EXPOSURE OR LAUNDERING TROUBLE AT ALL (READ MY NOOB LESSONS). I JUST REALIZED I SHOULD BE CAUTIOUS BECAUSE MY DECISION WOULD CHANGE THE LIVES OF MANY PEOPLE! IF I LEFT TOKENS THERE AND QUIT THE GAME, I COULD ENJOY THE LIFE OF BEING A MILLIONAIRE AND CONTINUE MY EXPLORATION AS USUAL, BUT THOUSANDS OF PEOPLE WOULD LOSE CONTROL OF THEIR FATE. THIS IS AGAINST MY PERSONAL PHILOSOPHY (SEE P4Q2). _SOON_ I WROTE AN _EMAIL_ TO THE POLY ATTACHING A SIGNED ETH TRANSACTION FROM AN ANONYMOUS MAILBOX. IF THEY HAD GOT THE MAIL, THEY WOULD BE ABLE TO BROADCAST A TRANSACTION FROM MY ADDRESS. THIS WAS NOT A WISE MOVE, SINCE I CAN NOT BROADCAST ANY NEW MESSAGE BEFORE THEM. THAT MAIL MUST BE LOST, I WAS NOT ACKNOWLEDGED FROM THE ETH, BUT I WAITED A FEW HOURS BECAUSE OF THAT MISTAKE. THE NEXT PART OF THE STORY IS WHAT YOU ALREADY KNOW. I STOPPED MY GAME AND RETURNED THE MONEY, AS I PROMISED, AS I PLANNED. Q: YOU ARE NOT EXPOSED, BUT THEY HAVE GOT THE CLUES, SO YOU ARE TERRIFIED! A: I AM MORE CONFIDENT THAN ANY OTHERS. I AM A HIGH PROFILE HACKER IN THE REAL WORLD (LEAKING IDENTITY 2). I WORK IN THE SECURITY INDUSTRY AND HAVE BEEN DEVOTED TO HACKING CAREER SINCE YOUNG (LEAKING IDENTITY 3). SERIOUSLY, AS SECURITY RESEARCHERS, OUR JOB IS TO SAVE THE HIDDEN WORLD. I KNOW SECURITY CONSULTING IS A HARD JOB, AND PUBLIC RELATION AND REPUTATION MEAN A LOT. I DON'T MIND SECURITY TEAMS MAKING ADVERTISEMENTS BASED ON MY INCIDENT, ESPECIALLY WHEN IT'S HELPFUL TO THEM. RAISING CONCERNS ABOUT SECURITY IS ALSO THE MISSION OF OUR CAREER. IF ANY HACKER CAN FIND MY SOCIAL IDENTITY IN ONE MONTH, I WOULD LIKE TO SEND HIM MY PERSONAL GIFT. OTHERWISE, I MAY OR MAY NOT LEAK ANOTHER CLUE OF MY IDENTITY. SHALL WE PLAY THE GAME? EVEN IF I AM IDENTIFIED, I AM STILL PROUD OF MY INTEGRITY

  翻译： 

问与答，第五部分：

问：为什么是AMA？你的供词？

答：它更像是一本日记。一些我引以为豪的事。

问：为什么归还所有的钱？

答：我说的，我不在乎钱。

问：垃圾英语？

答：不是以英语为母语的人。(泄露身份1)我只是不加修饰地表达了我的真实感受。按住“Shift”键打字并非易事。

问：黑帽还是白帽？

答：我也喜欢通过评判别人来获得优越感，但这从来都不是一件容易的事。不仅仅是合法的好人可以是白帽子。所谓的黑帽也可以是个好人。人是多变的。你听说过灰度吗？

问：难道白帽子不应该直接通知开发人员吗？

答：请阅读P1Q1234。Defi是一片黑暗的森林，每年都有数百个项目落荒而逃。我不相信任何人。

问：为什么一开始就躲起来？

答：即使你是合法的好人，你也可能因为任何原因而处于危险之中。安全人员确实关心安全问题。

问：为什么要解释这么多？

答：阅读P4Q2。指导部分对我来说意义重大。我想和大家分享我是如何用我的思想来克服傲慢和贪婪的。我认为精神上的挑战并不比黑客部分容易。老实说，攻击成功的时候我太兴奋了，几乎忘了我原来的计划，因为有太多的猜测，这是意想不到的(见P2Q1)。第一条信息(见P3Q1)激发了我做一些有创意的事情的兴趣。我花了一些时间从我的消息列表中寻找有趣但又合理的想法。我(仍然)对我的藏身很有信心，所以我认为只要我不造成无法承受的损失，我就能应付这场比赛。后来因为那些难民，我开始冷静下来。是的，我意识到即使暂时接管这笔钱也是一个不可原谅的笑话，它造成了太多的痛苦。

对于“十亿个SHITCOIN”的笑话，我的意思是这一事件的标题可以更吸引眼球，但结局将是一样的：我不会抛弃SHITCOINS。结果这是个糟糕的笑话。

对于“DAO”的笑话，我是在问社区如何退款，什么时候退款。这是个不负责任的笑话。

我一点也不害怕暴露或洗钱的麻烦(阅读我的菜鸟教程)。我刚刚意识到我应该谨慎，因为我的决定会改变很多人的生活！如果我把代币留在那里退出游戏，我可以享受成为百万富翁的生活，像往常一样继续我的探索，但成千上万的人会失去对自己命运的控制。这违背了我的个人哲学(见P4Q2)。

很快我写了一封邮件给Poly，附上了一笔来自匿名邮箱的以太坊签名交易。如果他们收到了邮件，他们就能从我的地址广播一笔交易。这不是明智之举，因为我不能在他们之前广播任何新消息。那封邮件一定是丢了，我没有从以太坊收到通知，但由于那个错误，我等了几个小时。故事的下一部分你已经知道的。我停止了我的游戏，并按照我的计划归还了钱，就像我承诺的那样。

问：你没有暴露，但他们有线索，所以你很害怕！

答：我比其他任何人都更有信心。我在现实世界中是一个备受瞩目的黑客(泄露身份2)。我在安全行业工作，从小就致力于黑客事业(泄露身份3)。说真的，作为安全研究人员，我们的工作是拯救隐藏的世界。我知道安全咨询是一项艰巨的工作，公关和声誉意义重大。我不介意安全团队根据我的事件做广告，特别是当这对他们有帮助的时候。提高人们对安全的担忧也是我们职业生涯的使命。

如果任何黑客能在一个月内找到我的社交身份，我愿意把我的私人礼物送给他。否则，我可能会也可能不会泄露我身份的另一条线索。我们来玩这个游戏好吗？即使我被确认了身份，我仍然为自己的正直感到自豪：)

原文始发于微信公众号（区块链安全实验室）：Poly Network 被攻击事件中来自黑客的 25 段对话