Polygon Bug Put $23 Billion in Cryptocurrency at RiskHacker Used Exploit, Now Patched, to Steal $2 Million in Tokens
A vulnerability in Polygon, a framework used to build Ethereum-compatible blockchain networks, has been fixed.
The bug, discovered on Dec. 3 by white hat hackers at bug bounty platform Immunefi, would have put 9,276,584,332 MATIC, worth nearly $23 billion at the time, at risk, according to Immunefi.
MATIC is the cryptocurrency used within the Polygon network.
"Polygon’s core development team with help from bug bounty platform Immunefi successfully fixed a critical network vulnerability. Considering the nature of this upgrade, it had to be executed without attracting too much attention," Polygon said in a release on Wednesday.
All you need to know about the recent Polygon network update.— Polygon | $MATIC(@0xPolygon) December 29, 2021
A security partner discovered a vulnerability
Fix was immediately introduced
Validators upgraded the network
No material harm to the protocol/end-users
White hats were paid a bounty https://t.co/oyDkvohg33
On Dec. 3, a group of white hat hackers notified Immunefi - which hosts Polygon’s bug bounty program - about the vulnerability in the network's proof-of-stake genesis contract, according to the blog post.
Before the Polygon team could address the vulnerability, a malicious hacker used the exploit to steal around 801,601 MATIC, worth around $2 million at the time, the post says.
Polygon says it will bear the cost of the theft.
"All projects that achieve any measure of success sooner or later find themselves in this situation," says Jaynti Kanani, co-founder of Polygon. "What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances."
Polygon's blog post says it was able to "immediately" fix the vulnerability with the help of white hat hackers and Immunefi’s expert team. The upgrade was implemented on Dec. 5.
"The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage," the post says.
Polygon did not immediately respond to Information Security Media Group's request for technical details on the vulnerability and the specific risks it posed.
Immunefi, in a Medium post, says that the vulnerability consisted of a lack of balance/allowance checks in the transfer function of Polygon’s MRC20 contract and would have allowed an attacker to steal all available MATIC from that contract.
"The MRC20 standard is used mainly for the possibility of transferring MATIC gaslessly, which, with Ether, is impossible to do so. When sending Ether, you’re making a transaction that a wallet needs to sign," Immunefi says. "Gasless MATIC transfers are facilitated by the transferWithSig() function. The user who owns the tokens signs a bundle of parameters including the operator, amount, nonce and expiration."
A gasless transaction is one in which a third party sends someone else's transaction and absorbs what is called the "gas" cost.
Immunefi did not immediately respond to Information Security Media Group's request for additional details on the specifications of the vulnerability and the process of its discovery.
Polygon paid a total bounty of $3.46 million to two white hat hackers who discovered the bug, according to the blog post. Leon Spacewalker, the first white hat hacker to report the security loophole on Dec. 3, will be rewarded with $2.2 million worth of stablecoins, Immunefi says. It says the second hacker, who was only referred to as Whitehat2, will receive 500,000 MATIC (currently over $1.2 million) from Polygon.
Spacewalker didn’t respond to ISMG's request for comments.
Twitter is abuzz with concerns about how Polygon addressed the vulnerability.
Nathan Worsley, an MEV engineer and DeFi builder, tweeted: "Are we all supposed to just shut up and forget about the fact that over a week ago Polygon hard-forked their blockchain in the middle of the night with no warning to a completely closed-source genesis and still haven't verified the code or explained what is going on?"
We are now investing much more in security and we're making an effort to improve security practices across all Polygon projects.— Mihailo Bjelic (@MihailoBjelic) December 15, 2021
As a part of this effort, we are working with multiple security researcher groups, whitehat hackers etc. One of these partners discovered a..
Polygon says there is a "natural tension between security and transparency, both of which are the cornerstone values at Polygon."
"Our initial disclosure was minimal because we follow the silent patches policy introduced and used by the Geth [an Ethereum software client] team. All in all, the core development team struck the best possible balance between openness and doing what is best for the community, partners and the broader ecosystem in handling this extremely urgent and sensitive issue. But you can be the judge of that," Polygon says.