Polygon has quietly undergone a network upgrade earlier this month that fixed a critical network vulnerability that also resulted in the loss of 801,601 MATIC tokens.
Polygon team announced the implemented upgrade in a blog post on Wednesday, December 29. According to the team, due to the nature of the vulnerability, the upgrade was implemented secretly and without impacting the network performance.
All you need to know about the recent Polygon network update.
✅A security partner discovered a vulnerability
✅Fix was immediately introduced
✅Validators upgraded the network
✅No material harm to the protocol/end-users
✅White hats were paid a bounty https://t.co/oyDkvohg33— Polygon (Labs) (@0xPolygonLabs) December 29, 2021
What Happened?
According to the blog post, on December 3, a group of whitehat hackers notified Immunefi, which hosts Polygon’s $2 million bug bounty program, of a vulnerability in the Polygon PoS genesis contract.
The Polygon team confirmed the vulnerability and the decision was made to upgrade the network mainnet as soon as possible. The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. On that same day, Polygon released the upgrade Bor v0.2.12-beta1 to “validators on Mumbai testnet at Block #22244000.”
On December 4, the testnet upgrade was complete and the Polygon team, white-hat hacker, and Immunefi validated the fix and prepared for the update of the mainnet. On that day, another whitehat reported the same vulnerability. Despite the best efforts of the teams, a malicious actor was able to exploit the vulnerability to steal MATIC tokens. The blog post reads:
“Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft.”
The mainnet upgrade was finally executed on December 5 at “block #22156660 without impacting the liveness and performance of the network in any major way.” Polygon paid a total of about $3.46 million as bounty to two white hats who helped discover the bug.
According to an Immunefi post mortem report, Polygon paid a bounty of $2.2m in stablecoins to the first whitehat hacker and 500,000 MATIC to the second whitehat. The vulnerability consisted of a lack of balance/allowance check in the transfer function of Polygon’s MRC20 contract.
The team said that given the seriousness of the vulnerability, this was kept secret until everything was fixed and tested. Polygon’s co-founder Jayanti Kanani stated:
“All projects that achieve any measure of success sooner or later find themselves in this situation. What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.”