Polygon, a Layer 2 scaling network based on Ethereum, has kept its silence for almost a month about a critical vulnerability that almost destabilized its ecosystem, with roughly $24 billion worth of MATIC, its native token, put at risk because of an external threat actor.
While Polygon has done a great job at keeping the situation under wraps for almost a month, when things have started to clear up and its protocol’s security engineers have signaled that the coast was clear, the protocol went on to release what can be deemed as a post-crisis report.
Polygon quietly pushed an update to its network, and with it, a crucial fix was shipped to all its nodes and validators.
In a blog post detailing the incident, the Polygon team reported that the vulnerability was first disclosed by two whitehat hackers over two days, a window of disclosure which went from December 3 to December 4, 2021. During this window, the critical vulnerability identified within Polygon’s proof-of-stake Genesis contract was detailed through the two whitehat hacker’s cooperation with Immunefi, a blockchain security and bug bounty hosting firm.
According to the post-situational analysis, some 9.27 billion units of $MATIC, Polygon’s native token, were put at risk. With MATIC’s total supply of 10 billion, this put roughly 92% of the network in grave danger. Fortunately, Polygon’s community of nodes and core devs worked together what could have been another dark forest incident.
Despite these efforts, the threat actor was able to siphon off 801,601 MATIC from the network before it was patched. The stolen tokens amount to roughly $2 million at the time. The Polygon foundation has since resolved to “bear the cost of the theft.”
Polygon stated that the fix was introduced thereafter, with the bug resolved at block 22,156,660 through an “Emergency Bor Upgrade” to the Polygon mainnet. This occured at 7:27 AM UTC on December 5, 2021.
According to Polygon, the reason why the issue was not disclosed publicly and was resolved behind closed doors is because their team were following a policy introduced by the Go Ethereum team back in November 2020. This policy, called “silent patches,” provides leeway to protocol developers to report on key infrastructural patches over 4-8 weeks after an incident occurs and a fix is introduced. This helps the protocol avoid the risk of being “sniped” or exploited during the time that the patch is being done.
Whitehat hacker “Leon Spacewalker” initiated the vulnerability disclosure and coordination with Immunefi, while another hacker who goes by “Whitehat2” followed up and confirmed the initial observations. The two whitehats will be rewarded by both Immunefi and Polygon, with Leon Spacewalker receiving $2.2 million in stablecoins as reward, and Whitehat2 receiving 500,000 MATIC, or about $1.2 million.