Polygon upgrade quietly fixes bug that put $24B of MATIC at risk
Ethereum-based layer two scaling network Polygon has quietly fixed a vulnerability that put almost $24 billion worth of its native token MATIC at risk.
According to a Dec. 29 blog post from Polygon, the “critical” vulnerability in the network’s Proof-of-Stake (PoS) Genesis contract was first highlighted by two whitehat hackers on Dec. 3 and Dec. 4 via blockchain security and bug bounty hosting platform Immunefi.
All you need to know about the recent Polygon network update.✅A security partner discovered a vulnerability✅Fix was immediately introduced✅Validators upgraded the network✅No material harm to the protocol/end-users✅White hats were paid a bounty https://t.co/oyDkvohg33— Polygon | $MATIC (@0xPolygon) December 29, 2021
The vulnerability put more than 9.27 billion MATIC at risk that is valued at around $23.6 billion at the time of writing, with the figure representing the vast majority of the token’s total supply of 10 billion.
Polygon noted that the bug was resolved at Block #22156660 via an “Emergency Bor Upgrade” to the Mainnet on Dec. 5 at around 7:27 am UTC. The network noted that a “malicious hacker” managed to steal 801,601 MATIC ($2.04 million) before the bug was resolved. The blog post said:
“The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage.”
Polygon stated that the issue was fixed behind closed doors as it follows the “silent patches” policy introduced by the Go Ethereum (Geth) team in November 2020. Under the guidelines, projects or developers report on key bug fixes 4-8 weeks after they go live to avoid the risk of being exploited at the time of patching.
According to Immunefi, Whitehat hacker “Leon Spacewalker” was the first to report on the security hole on Dec. 3 and will be rewarded with $2.2 million worth of stablecoins for their efforts, while the second unnamed hacker, referred to as “Whitehat2” will receive 500,000 MATIC ($1.27 million) from Polygon.
Polygon's co-founder Jaynti Kanani emphasized the network's ability to promptly resolve the critical bug, noting in the blog post that:
“What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.”
According to data from Coingecko, MATIC is priced at $2.45 and is up 35.1% over the past 30 days despite the current downturn across major crypto assets this month.Source