critical polygon bug put tokens risk

The critical vulnerability was likely to put over 9.27B MATIC equivalent to $23.6B at severe risk and raise safety issues amongst the customers.

The bug was fixed at Block #22156660 through an ‘Emergency Bor Upgrade’ to the Mainnet at 7:27 AM UTC on December 5, 2021. The firm confirmed that an intruder got successful in stealing 801,601 MATIC tokens amounting to a value of $2.04M before the issue was treated by the team. The Polygon team interacted closely with the group and Immunefi team members to resolve the glitch. The validator and participating nodes were notified quickly. They rallied behind the core developers to upgrade 80% of the channel within 24 hours span without any halt.

The Polygon network follows the ‘silent patches’ policy initiated by the Go Ethereum team in November 2020 and so resolved the issue quietly without making any chaos in the ecosystem.


Go Ethereum (Geth) team in November 2020. Under the guidelines, projects or developers report on key bug fixes 4-8 weeks after they go live to avoid the risk of being exploited at the time of patching.

According to Immunefi, Whitehat hacker “Leon Spacewalker” was the first to report on the security hole on Dec. 3 and will be rewarded with $2.2 million worth of stablecoins for their efforts, while the second unnamed hacker, referred to as “Whitehat2” will receive 500,000 MATIC ($1.27 million) from Polygon.

Polygon’s co-founder Jaynti Kanani emphasized the network’s ability to promptly resolve the critical bug, noting in the blog post that:

What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure.


When sending Ether, you’re making a transaction that a wallet needs to sign,” Immunefi says. “Gasless MATIC transfers are facilitated by the transferWithSig() function. The user who owns the tokens signs a bundle of parameters including the operator, amount, nonce and expiration.”

A gasless transaction is one in which a third party sends someone else’s transaction and absorbs what is called the “gas” cost.

Immunefi did not immediately respond to Information Security Media Group’s request for additional details on the specifications of the vulnerability and the process of its discovery.

Bug Bounty

Polygon paid a total bounty of $3.46 million to two white hat hackers who discovered the bug, according to the blog post. Leon Spacewalker, the first white hat hacker to report the security loophole on Dec.

Critical polygon bug put tokens riska

Polygon network update. A security partner discovered a vulnerability Fix was immediately introduced Validators upgraded the network No material harm to the protocol/end-users White hats were paid a bounty https://t.co/oyDkvohg33— Polygon | $MATIC(@0xPolygon) December 29, 2021

On Dec. 3, a group of white hat hackers notified Immunefi – which hosts Polygon’s bug bounty program – about the vulnerability in the network’s proof-of-stake genesis contract, according to the blog post.

Before the Polygon team could address the vulnerability, a malicious hacker used the exploit to steal around 801,601 MATIC, worth around $2 million at the time, the post says.

Polygon says it will bear the cost of the theft.

“All projects that achieve any measure of success sooner or later find themselves in this situation,” says Jaynti Kanani, co-founder of Polygon.

Critical polygon bug put tokens risks

Whitehat2, will receive 500,000 MATIC (currently over $1.2 million) from Polygon.

Spacewalker didn’t respond to ISMG’s request for comments.

Transparency Concerns

Twitter is abuzz with concerns about how Polygon addressed the vulnerability.

Nathan Worsley, an MEV engineer and DeFi builder, tweeted: “Are we all supposed to just shut up and forget about the fact that over a week ago Polygon hard-forked their blockchain in the middle of the night with no warning to a completely closed-source genesis and still haven’t verified the code or explained what is going on?”

We are now investing much more in security and we’re making an effort to improve security practices across all Polygon projects.

As a part of this effort, we are working with multiple security researcher groups, whitehat hackers etc.

Critical polygon bug put tokens risked

A security partner discovered a vulnerability ✅Fix was immediately introduced ✅Validators upgraded the network ✅No material harm to the protocol/end-users ✅White hats were paid a bounty https://t.co/oyDkvohg33— Polygon | $MATIC (@0xPolygon) December 29, 2021

The vulnerability put more than 9.27 billion MATIC at risk that is valued at around $23.6 billion at the time of writing, with the figure representing the vast majority of the token’s total supply of 10 billion.

Polygon noted that the bug was resolved at Block #22156660 via an “Emergency Bor Upgrade” to the Mainnet on Dec. 5 at around 7:27 am UTC. The network noted that a “malicious hacker” managed to steal 801,601 MATIC ($2.04 million) before the bug was resolved. The blog post said:

The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix.

Working as a powerful decentralized layer two scaling channel running on Ethereum, Polygon recently saved a whopping $24B worth of MATIC tokens from a malicious bug hack. The glitch occurred at the time of the upgrade posing a serious risk for the network as well as the network users. Interestingly, the Polygon team was successful in fixing the vulnerability swiftly without getting noticed by the users participating in the upgrade.

According to the official blog post of Polygon, the vulnerability in the channel’s Proof-of-Stake (PoS) Genesis contract was first hinted at by two Whitehat hackers on December 3 and December 4 through Immunefi.
For those who don’t know, Immunefi is popular blockchain security and bug bounty hosting portal.

Immunefi’s expert team. The upgrade was implemented on Dec. 5.

“The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage,” the post says.

Polygon did not immediately respond to Information Security Media Group’s request for technical details on the vulnerability and the specific risks it posed.

The Vulnerability

Immunefi, in a Medium post, says that the vulnerability consisted of a lack of balance/allowance checks in the transfer function of Polygon’s MRC20 contract and would have allowed an attacker to steal all available MATIC from that contract.

“The MRC20 standard is used mainly for the possibility of transferring MATIC gaslessly, which, with Ether, is impossible to do so.

As per the rules, developers report bug fixes in a 4-8 weeks span after going live so as to eliminate the risk of exploitation during patching.

Talking about the situation, Polygon’s co-founder Jaynti Kanani highlighted the portal’s excellent capabilities to resolve the security issues quickly. The spearhead addressed the issues as a test of the resilience of the network and the ability to work under pressure. Kanani added that the decisions taken by the team were the best possible resorts available for the team at that time considering the huge stake.

Immunefi revealed that Whitehat hacker ‘Leon Spacewalker’ was the first to report the issue on December 3.

He will be rewarded with $2.2M worth of stablecoins. The second person to report the issue was an anonymous user referred to as ‘Whitehat2’ who will get 500,000 MATIC tokens worth $1.27M from the Polygon team.

Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & CybercrimePolygon Bug Put $23 Billion in Cryptocurrency at RiskHacker Used Exploit, Now Patched, to Steal $2 Million in TokensPrajeet Nair (@prajeetspeaks) • December 30, 2021

A vulnerability in Polygon, a framework used to build Ethereum-compatible blockchain networks, has been fixed.

See Also:OnDemand | Zero Tolerance: Controlling The Landscape Where You’ll Meet Your Adversaries

The bug, discovered on Dec. 3 by white hat hackers at bug bounty platform Immunefi, would have put 9,276,584,332 MATIC, worth nearly $23 billion at the time, at risk, according to Immunefi.

MATIC is the cryptocurrency used within the Polygon network.

“Polygon’s core development team with help from bug bounty platform Immunefi successfully fixed a critical network vulnerability.

Similar Posts:

Leave a comment