Polygon upgrade quietly fixes bug that put $24B of MATIC at risk

Published at: Dec. 30, 2021

Ethereum-based layer two scaling network Polygon has quietly fixed a vulnerability that put almost $24 billion worth of its native token MATIC at risk.

According to a Dec. 29 blog post from Polygon, the “critical” vulnerability in the network’s Proof-of-Stake (PoS) Genesis contract was first highlighted by two whitehat hackers on Dec. 3 and Dec. 4 via blockchain security and bug bounty hosting platform Immunefi.

All you need to know about the recent Polygon network update.✅A security partner discovered a vulnerability✅Fix was immediately introduced✅Validators upgraded the network✅No material harm to the protocol/end-users✅White hats were paid a bounty https://t.co/oyDkvohg33

— Polygon | $MATIC (@0xPolygon) December 29, 2021

The vulnerability put more than 9.27 billion MATIC at risk that is valued at around $23.6 billion at the time of writing, with the figure representing the vast majority of the token’s total supply of 10 billion.

Polygon noted that the bug was resolved at Block #22156660 via an “Emergency Bor Upgrade” to the Mainnet on Dec. 5 at around 7:27 am UTC. The network noted that a “malicious hacker” managed to steal 801,601 MATIC ($2.04 million) before the bug was resolved. The blog post said:

“The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage.”

Polygon stated that the issue was fixed behind closed doors as it follows the “silent patches” policy introduced by the Go Ethereum (Geth) team in November 2020. Under the guidelines, projects or developers report on key bug fixes 4-8 weeks after they go live to avoid the risk of being exploited at the time of patching.

According to Immunefi, Whitehat hacker “Leon Spacewalker” was the first to report on the security hole on Dec. 3 and will be rewarded with $2.2 million worth of stablecoins for their efforts, while the second unnamed hacker, referred to as “Whitehat2” will receive 500,000 MATIC ($1.27 million) from Polygon.

Related: Here's how Polygon is challenging the limitations of Ethereum, as told by co-founder Sandeep Nailwal

Polygon's co-founder Jaynti Kanani emphasized the network's ability to promptly resolve the critical bug, noting in the blog post that:

“What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.”

According to data from Coingecko, MATIC is priced at $2.45 and is up 35.1% over the past 30 days despite the current downturn across major crypto assets this month.

Tags
Blockchain
Ethereum
Defi
Hacks
Hackers
Polygon
Layer2
Upgrade
Related Posts
Polygon announces scalable data availability infrastructure Avail
Ethereum (ETH) scalability infrastructure developer Polygon has announced the rollout of a general-purpose, scalable data availability solution called Avail. According to a release issued on Monday, Polygon revealed that Avail will function as a data available tool for execution layers like sidechains, standalone networks, and layer-two protocols. One of the major hurdles for effective blockchain scaling is the data availability problem. Malicious actors can broadcast blocks to the network with incomplete data and other participants will be none the wiser. To tackle this problem, the Polygon team stated that Avail utilizes erasure coding and polynomial commitment to combat data encoding …
Blockchain / June 28, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Binance temporarily halts Polygon deposit and withdrawal to sync nodes
Binance, the world’s biggest crypto exchange by trading volume, announced earlier on Tuesday that it will be temporarily pausing deposits and withdrawals for Polygon (MATIC) Network. The announcement came in the wake of the Polygon network’s outage since March 11 after a network upgrade. The crypto exchange noted that it would reopen the deposit and withdrawal features once the network becomes stable. Polygon network is a layer-2 Ethereum scaling solution that boasts millions of users and an evolving ecosystem. The network underwent an essential upgrade on one of the three layers on March 11, but due to a suspected bug, …
Blockchain / March 15, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022
DeFi was the most attacked ecosystem in 2022: Finance Redefined
Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week. The DeFi ecosystem started 2023 on a bullish note, similar to the broader cryptocurrency market. However, the bullish start to the year didn’t diminish the damage caused by vulnerabilities and attacks in 2022. A new research report has highlighted that DeFi was the most vulnerable crypto ecosystem, at the receiving end of 113 exploits out of the total 167. On top of that, blockchain security experts have warned the trend could continue in 2023. …
Ethereum / Jan. 13, 2023