The core development team behind Polygon has revealed that a critical bug in one of their contracts was briefly exploited for $1.6 million.
A hacker stole $1.6 million after exploiting a Polygon bug
Polygon reported that a critical bug on the network was fixed through a hard fork on December 5. Before the hardfork, an unknown hacker stole 1.6 million MATIC dollars, the team revealed in a blog post-Thursday, 24 days after the event.
In the first week of December, Leon Spacewalker and Whitehat2, two ethical hackers, associated with the Immunefi bug bounty platform, notified Polygon of a vulnerability. The bug was found in the transfer function of the MRC20 contract used for gasless transactions on the network.
After the bug was reported, Polygon patched it by leveraging a hidden hard fork that worked with all of its validators and node operators. While the security flaw was fixed within a few days, it couldn’t stop an anonymous black hat hacker from stealing 801,601 $1.6 million worth of MATIC at the time.
“Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect”, in a post-mortem, the team report.
The situation could be much worse if this were delayed any further. Immunefi, which assisted Polygon in deploying the fix, stated in a different blog post that malicious hackers could have drained roughly 9.2 billion MATIC tokens valued at about $20 billion if the Polygon bug had not been reported time.
Commenting on the steps the team took to patch the vulnerability, Polygon co-founder Jaynti Kanani said the team “made the best decisions possible given the circumstances.”
Polygon paid bounty rewards of approximately $3.46 million to ethical hackers who reported bugs. Additionally, the team says they will bear the cost of the stolen MATIC. This is not the first time a critical bug has been discovered and patched on Polygon. In October 2021, Polygon patched a critical bug on the Plasma Bridge that had $850 million in locked funds.
Polygon did not clarify why the hack was not made public for 24 days. Representatives from the project did not respond to a request for comment.
Sign up for a Binance account here (Discount 10% trading fees): https://accounts.binance.com/en/register?ref=29171587
Read more:
- Snowflake Floki, A Knock-Off Of The Floki Inu Meme Coin, Is A Honeypot Scam
- Ethereum-Based Token MASK Is A Honeypot Scam, Not Metamask’s Governance Asset