- Recently, Polygon covertly fixed a smart contract loophole that would have led to the potential loss of $24B.
- The vulnerability was disclosed by two white hat hackers and is the second to be reported in 3 months.
Ethereum layer-two scaling solution Polygon (MATIC) has quietly fixed a bug that put $24 billion worth of MATIC at risk. Two white hat hackers were the first to note the vulnerability on the network’s Proof-of-Stake (PoS) Genesis contract. They reported it through blockchain security and bug bounty hosting platform Immunefi on Dec. 3 and Dec. 4.
As Polygon notes, the vulnerability was “critical” seeing as it put 9.27 billion of the total 10 billion of MATIC token supply at risk. At writing time, this amount is worth a whopping $23.6 billion.
To resolve the bug, an “Emergency Bor Upgrade” was introduced to the Mainnet at Block #22156660 on Dec. 5 at around 7:27 am UTC. A Polygon blog post reads,
The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage,
Polygon and the system bug
Additionally, the fixation process was conducted covertly, per the Go Ethereum (Geth) policy of Nov. 2020. The guideline states that projects or developers should withhold reporting key bug fixes until 4-8 weeks after they go live. This reduces the likelihood of exploitation by black hat hackers at the time of patching. Polygon already lost 801,601 MATIC (roughly $2.04M) to a “malicious hacker” before the bug was removed.
All you need to know about the recent Polygon network update.
✅A security partner discovered a vulnerability
✅Fix was immediately introduced
✅Validators upgraded the network
✅No material harm to the protocol/end-users
✅White hats were paid a bounty https://t.co/oyDkvohg33— Polygon (Labs) (@0xPolygonLabs) December 29, 2021
According to Immunefi, the white hat hackers will be duly rewarded for their efforts in flagging the vulnerability. Leon Spacewalker, who first highlighted the bug on Dec. 3, will receive a reward of stablecoins worth $2.2 million. Meanwhile, the second hacker with the pseudonym “Whitehat2,” will receive 500,000 MATIC (about $1.27M) from Polygon.
Read More: Whitehat hacker detects and discloses critical vulnerability on Polygon, receives $2M bounty
Polygon’s co-founder Jaynti Kanani commended the network for its show of strength and prompt resolution of the bug, saying:
What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.
Decentralized or not?
Back in October, Polygon paid another white-hat hacker a $2 million bounty for disclosing an $850 million vulnerability on the network. But despite the network’s security maintenance efforts, it has come under scrutiny for not being ‘fully decentralized.’ The criticism arose almost two weeks ago when Polygon hard forked “in the middle of the night” with no previous communication on the same.
Read More: Polygon hard forked “in the middle of the night” – what really happened?
MATIC per our data is currently priced at $2.47, having shed 3.2 percent in the day following a wider market downtrend. The token is, however, up 16.4 percent and 36.2 percent in the last fortnight and 30-days, respectively.
