Embedded in one of the final transactions from the hacker is a long note, in which he apologizes for the inconvenience he’s caused, calls the hack and process of returning the funds a “wild adventure,” and promises to return more money than he originally stole (which he requests be distributed to “survivors,” seemingly referring to those who had their money stolen). According to the hacker’s note, the extra funds come from the $500,000 bounty that Poly Network paid him for finding the security flaw, as well as from the stream of donations that he’s received since the hack (and is still receiving, according to his wallet’s transaction records).
Poly Network said in another blog post that it would start a $500,000 bug bounty program to encourage researchers to find (and responsibly disclose) other vulnerabilities in its software. Currently, the company’s bug bounty listing on Immunefi says that the maximum bounty is $100,000.
As for when Poly Network’s users will actually see the returned funds hit their wallets, the company says it’s working on returning them “within the shortest time frame possible.”