Security Audit

On January 6, 2025, Polycule (formerly PMX) experienced a security breach originating from a compromised third-party dependency. Our withdrawal server relied on the aiohttps library to handle asynchronous, scalable HTTPS requests—the core purpose the library was designed for. This library was used to construct headers for all outbound POST requests from the server.

At the time, private keys were stored using AWS KMS (Key Management Service). The compromised aiohttps library allowed an attacker to intercept withdrawal requests by exploiting the request headers, redirecting funds to wallets under the attacker's control.

The incident was detected within hours. Emergency recovery procedures were executed, and the majority of affected assets were recovered.

Following the incident, we undertook a complete overhaul of our security infrastructure:

• ✓Full User Reimbursement. All user balances were restored to pre-hack levels.
• ✓Sherlock Audit. We engaged Sherlock for a comprehensive security audit and passed all checks.
• ✓Turnkey Key Management. Private keys are now managed through Turnkey's non-custodial infrastructure with secure hardware enclaves—keys are never exposed to application code.
• ✓Dependency Auditing. All third-party libraries are now vetted and continuously monitored for supply-chain vulnerabilities.
• ✓Rigorous Security Checks. Enhanced monitoring, network segmentation, and automated alerting are in place to prevent and detect any similar incidents.