White hackers who discovered the bug received $ 3.46 million in for information by the Polygon Network.
The Polygon blockchain project team carried out an unscheduled upgrade of their network on December 5 to avoid stealing $ 24 billion of MATIC tokens, TheBlock reported, citing a press release . The project told the details of the hard fork.
It turned out that on December 3, a participant in the Immunefi reward program informed the platform about a critical vulnerability of the Polygon network. The problem was discovered in the genesys contract – it lacked a mechanism for checking the balance, the developers said . In the event of an exploit of an error by cybercriminals, the project could lose ~ 9.3 billion MATIC tokens, which is 93% of the total supply of this cryptocurrency. As of December 5, the cost of potential damage was $ 24 billion, according to TheBlock.
To fix the bug, on the same day, the Polygon team made an unscheduled upgrade of their test network in Mumbai. A few hours later, on December 4, unknown attackers took advantage of the bug and withdrew 801.6 thousand MATIC tokens (~ $ 2 million) from the main network. On the morning of December 5, the developers carried out a hard fork of the main network of the project, but until yesterday they did not tell about its reasons.
White hacker @leonspacewalker was the first to report the vulnerability to Immunefi. Later, the information was sent by another unnamed expert. Polygon paid two white hackers a total of $ 3.46 million in rewards. Spacewalker received $ 2.2 million worth of stablecoins, and an anonymous hacker received 500,000 MATIC tokens (~ $ 1.25 million).
The costs of reimbursing the stolen 801.6 thousand tokens were covered by the Immunefi Foundation, the project said. In the middle of the month, the hard fork was commented by the co-founder of Polygon Mikhail Belich. In a Twitter post, the head of the project spoke about the discovery of the vulnerability in response to a user’s question. It is noteworthy that he reported no losses.
Belich noted that Polygon is investing in security and improving security practices across all projects.
The price of the MATIC token decreased by 0.71% against the background of the news.
As a reminder, in October another white hacker helped find a bug on the Polygon network. Immunefi gave Gerhard Wagner a $ 2 million award.
The Polygon Press Release Said
Polygon paid a total of about $3.46 million as bounty to two white hats who helped discover the bug. Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft.
“The Polygon team’s response to this disclosure was swift and effective,” said Immunefi’s Chief Technology Officer Duncan Townsend. “That this incident had a happy ending is a testament to their expertise. Tight coordination with the Polygon validators helped avert what could’ve been a major disaster.”
In the days after the upgrade, Polygon’s core team has carried out an extensive post mortem and identified a number of existing processes that can be improved as well as actions that will make the network and our community more resilient in the future. These measures include the following:
Updating our critical response processes;
Consolidating partner contact info and communications channels;
Identifying and formalizing backups for key internal resources to eliminate single points of failure during time sensitive situations.
This experience highlighted the importance of investing into an ecosystem of security expert partners. We are very grateful to Immunefi for all their help. At the end of the day, this brought Polygon a step closer to becoming the most battle-tested scaling solution for Ethereum.