On December 3, white hat hackers at the bug bounty platform Immunefi discovered a vulnerability in Polygon, a framework used to build Ethereum-compatible blockchain networks. The bug would have put 9,276,584,332 MATIC, worth almost $23 billion, at risk. MATIC is the cryptocurrency of the Polygon network. With help from Immunefi, Polygon’s core development team was able to fix the critical network vulnerability. It was found in the network’s proof-of-stake genesis contract. Before the Polygon team addressed it, a malicious hacker exploited the bug to steal about 801,601 MATIC, worth nearly $2 million at the time. According to Immunefi, the vulnerability stemmed from a lack of balance/allowance checks in the transfer function of Polygon’s MRC20 contract. An attacker would have been able to steal all available MATIC from that contract by exploiting the bug.
“Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances,” said Polygon’s co-founder Jaynti Kanani.
Ethereum-based layer two scaling network Polygon has quietly fixed a vulnerability that put almost $24 billion worth of its native token MATIC at risk.
According to a Dec. 29 blog post from Polygon, the “critical” vulnerability in the network’s Proof-of-Stake (PoS) Genesis contract was first highlighted by two whitehat hackers on Dec. 3 and Dec. 4 via blockchain security and bug bounty hosting platform Immunefi.
All you need to know about the recent Polygon network update.
Go Ethereum (Geth) team in November 2020. Under the guidelines, projects or developers report on key bug fixes 4-8 weeks after they go live to avoid the risk of being exploited at the time of patching.
According to Immunefi, Whitehat hacker “Leon Spacewalker” was the first to report on the security hole on Dec. 3 and will be rewarded with $2.2 million worth of stablecoins for their efforts, while the second unnamed hacker, referred to as “Whitehat2” will receive 500,000 MATIC ($1.27 million) from Polygon.
Polygon’s co-founder Jaynti Kanani emphasized the network’s ability to promptly resolve the critical bug, noting in the blog post that:
What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure.
Critical polygon bug put billion riska
A security partner discovered a vulnerability ✅Fix was immediately introduced ✅Validators upgraded the network ✅No material harm to the protocol/end-users ✅White hats were paid a bounty https://t.co/oyDkvohg33— Polygon | $MATIC (@0xPolygon) December 29, 2021
The vulnerability put more than 9.27 billion MATIC at risk that is valued at around $23.6 billion at the time of writing, with the figure representing the vast majority of the token’s total supply of 10 billion.
Polygon noted that the bug was resolved at Block #22156660 via an “Emergency Bor Upgrade” to the Mainnet on Dec. 5 at around 7:27 am UTC. The network noted that a “malicious hacker” managed to steal 801,601 MATIC ($2.04 million) before the bug was resolved. The blog post said:
The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix.
Critical polygon bug put billion risks
When sending Ether, you’re making a transaction that a wallet needs to sign,” Immunefi says. “Gasless MATIC transfers are facilitated by the transferWithSig() function. The user who owns the tokens signs a bundle of parameters including the operator, amount, nonce and expiration.”
A gasless transaction is one in which a third party sends someone else’s transaction and absorbs what is called the “gas” cost.
Immunefi did not immediately respond to Information Security Media Group’s request for additional details on the specifications of the vulnerability and the process of its discovery.
Polygon paid a total bounty of $3.46 million to two white hat hackers who discovered the bug, according to the blog post. Leon Spacewalker, the first white hat hacker to report the security loophole on Dec.
Critical polygon bug put billion risked
Immunefi’s expert team. The upgrade was implemented on Dec. 5.
“The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage,” the post says.
Polygon did not immediately respond to Information Security Media Group’s request for technical details on the vulnerability and the specific risks it posed.
Immunefi, in a Medium post, says that the vulnerability consisted of a lack of balance/allowance checks in the transfer function of Polygon’s MRC20 contract and would have allowed an attacker to steal all available MATIC from that contract.
“The MRC20 standard is used mainly for the possibility of transferring MATIC gaslessly, which, with Ether, is impossible to do so.
The core development team behind Polygon has revealed that a critical bug in one of its contracts was briefly exploited for $1.6 million.
Polygon Was Secretly Hardforked to Patch Critical Bug
Polygon, a Proof-of-Stake sidechain on Ethereum, was briefly hacked earlier this month due to a bug later fixed via a hard fork on Dec. 5. Before the hard fork, an unknown hacker stole $1.6 million in MATIC tokens, the team revealed in a Thursday blog post, 24 days after the event.
In the first week of December, Leon Spacewalker and Whitehat2, two ethical hackers associated with bug bounty platform Immunefi, notified Polygon of a vulnerability.
The bug was found in the transfer function of its MRC20 contract used for gasless transactions on the network.
After the bug was reported, Polygon patched the bug by leveraging a stealth hard fork working alongside all of its validators and node operators. Even though the vulnerability was fixed within a few days, it could not stop an unknown black hat hacker from stealing 801,601 MATIC tokens worth $1.6 million at the time. In a post-mortem, the team reported:
“Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect.”
The situation could have been far worse had this been delayed further.
Immunefi, which assisted Polygon in deploying the fix, stated in a different blog post that if the Polygon bug had not been reported, malicious hackers could have drained roughly 9.2 billion MATIC tokens valued at about $20 billion at the time.
Commenting on the steps taken by the team to patch the vulnerability, Polygon co-founder Jaynti Kanani said the team “made the best decisions possible given the circumstances.”
Polygon has paid bounty rewards of about $3.46 million to the ethical hackers who reported the bug. In addition, the team said it will bear the cost of stolen MATIC tokens.
This was not the first time when a critical bug was discovered and patched on Polygon. In October 2021, Polygon patched a critical bug on its Plasma Bridge that had $850 million in locked funds.
Polygon did not clarify why the hack was not made public for 24 days.
Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & CybercrimePolygon Bug Put $23 Billion in Cryptocurrency at RiskHacker Used Exploit, Now Patched, to Steal $2 Million in TokensPrajeet Nair (@prajeetspeaks) • December 30, 2021
A vulnerability in Polygon, a framework used to build Ethereum-compatible blockchain networks, has been fixed.
See Also:OnDemand | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries
The bug, discovered on Dec. 3 by white hat hackers at bug bounty platform Immunefi, would have put 9,276,584,332 MATIC, worth nearly $23 billion at the time, at risk, according to Immunefi.
MATIC is the cryptocurrency used within the Polygon network.
“Polygon’s core development team with help from bug bounty platform Immunefi successfully fixed a critical network vulnerability.
Polygon network update. A security partner discovered a vulnerability Fix was immediately introduced Validators upgraded the network No material harm to the protocol/end-users White hats were paid a bounty https://t.co/oyDkvohg33— Polygon | $MATIC(@0xPolygon) December 29, 2021
On Dec. 3, a group of white hat hackers notified Immunefi – which hosts Polygon’s bug bounty program – about the vulnerability in the network’s proof-of-stake genesis contract, according to the blog post.
Before the Polygon team could address the vulnerability, a malicious hacker used the exploit to steal around 801,601 MATIC, worth around $2 million at the time, the post says.
Polygon says it will bear the cost of the theft.
“All projects that achieve any measure of success sooner or later find themselves in this situation,” says Jaynti Kanani, co-founder of Polygon.
Whitehat2, will receive 500,000 MATIC (currently over $1.2 million) from Polygon.
Spacewalker didn’t respond to ISMG’s request for comments.
Twitter is abuzz with concerns about how Polygon addressed the vulnerability.
Nathan Worsley, an MEV engineer and DeFi builder, tweeted: “Are we all supposed to just shut up and forget about the fact that over a week ago Polygon hard-forked their blockchain in the middle of the night with no warning to a completely closed-source genesis and still haven’t verified the code or explained what is going on?”
We are now investing much more in security and we’re making an effort to improve security practices across all Polygon projects.
As a part of this effort, we are working with multiple security researcher groups, whitehat hackers etc.