Polygon, a Layer 2 scaling network based on Ethereum, has kept its silence for almost a month about a critical vulnerability that almost destabilized its ecosystem, with roughly $24 billion worth of MATIC, its native token, put at risk because of an external threat actor.
While Polygon has done a great job at keeping the situation under wraps for almost a month, when things have started to clear up and its protocol's security engineers have signaled that the coast was clear, the protocol went on to release what can be deemed as a post-crisis report.
Polygon quietly pushed an update to its network, and with it, a crucial fix was shipped to all its nodes and validators.
All you need to know about the recent Polygon network update.— Polygon | $MATIC 💜 (@0xPolygon) December 29, 2021
✅A security partner discovered a vulnerability
✅Fix was immediately introduced
✅Validators upgraded the network
✅No material harm to the protocol/end-users
✅White hats were paid a bounty https://t.co/oyDkvohg33
In a blog post detailing the incident, the Polygon team reported that the vulnerability was first disclosed by two whitehat hackers over two days, a window of disclosure which went from December 3 to December 4, 2021. During this window, the critical vulnerability identified within Polygon's proof-of-stake Genesis contract was detailed through the two whitehat hacker's cooperation with Immunefi, a blockchain security and bug bounty hosting firm.
"The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage." Polygon explained.
According to the post-situational analysis, some 9.27 billion units of $MATIC, Polygon's native token, were put at risk. With MATIC's total supply of 10 billion, this put roughly 92% of the network in grave danger. Fortunately, Polygon's community of nodes and core devs worked together what could have been another dark forest incident.
“What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.” shared Polygon co-founder Jaynti Kanani.
Despite these efforts, the threat actor was able to siphon off 801,601 MATIC from the network before it was patched. The stolen tokens amount to roughly $2 million at the time. The Polygon foundation has since resolved to "bear the cost of the theft."
Polygon stated that the fix was introduced thereafter, with the bug resolved at block 22,156,660 through an "Emergency Bor Upgrade" to the Polygon mainnet. This occured at 7:27 AM UTC on December 5, 2021.
“The Polygon team’s response to this disclosure was swift and effective,” shared Immunefi CTO Duncan Townsend. “That this incident had a happy ending is a testament to their expertise. Tight coordination with the Polygon validators helped avert what could’ve been a major disaster,” he added.
According to Polygon, the reason why the issue was not disclosed publicly and was resolved behind closed doors is because their team were following a policy introduced by the Go Ethereum team back in November 2020. This policy, called "silent patches," provides leeway to protocol developers to report on key infrastructural patches over 4-8 weeks after an incident occurs and a fix is introduced. This helps the protocol avoid the risk of being "sniped" or exploited during the time that the patch is being done.
Whitehat hacker "Leon Spacewalker" initiated the vulnerability disclosure and coordination with Immunefi, while another hacker who goes by "Whitehat2" followed up and confirmed the initial observations. The two whitehats will be rewarded by both Immunefi and Polygon, with Leon Spacewalker receiving $2.2 million in stablecoins as reward, and Whitehat2 receiving 500,000 MATIC, or about $1.2 million.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.