Polygon deployed a stealth hard fork earlier this month to patch a critical bug

The core development team behind Polygon has revealed that a critical bug in one of their contracts was briefly exploited for $1.6 million.

A hacker stole $1.6 million after exploiting a Polygon bug

Polygon reported that a critical bug on the network was fixed through a hard fork on December 5. Before the hardfork, an unknown hacker stole 1.6 million MATIC dollars, the team revealed in a blog post-Thursday, 24 days after the event.

In the first week of December, Leon Spacewalker and Whitehat2, two ethical hackers, associated with the Immunefi bug bounty platform, notified Polygon of a vulnerability. The bug was found in the transfer function of the MRC20 contract used for gasless transactions on the network.

After the bug was reported, Polygon patched it by leveraging a hidden hard fork that worked with all of its validators and node operators. While the security flaw was fixed within a few days, it couldn’t stop an anonymous black hat hacker from stealing 801,601 $1.6 million worth of MATIC at the time.

“Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect”, in a post-mortem, the team report.

The situation could be much worse if this were delayed any further. Immunefi, which assisted Polygon in deploying the fix, stated in a different blog post that malicious hackers could have drained roughly 9.2 billion MATIC tokens valued at about $20 billion if the Polygon bug had not been reported time.

Commenting on the steps the team took to patch the vulnerability, Polygon co-founder Jaynti Kanani said the team “made the best decisions possible given the circumstances.”

Polygon paid bounty rewards of approximately $3.46 million to ethical hackers who reported bugs. Additionally, the team says they will bear the cost of the stolen MATIC.  This is not the first time a critical bug has been discovered and patched on Polygon. In October 2021, Polygon patched a critical bug on the Plasma Bridge that had $850 million in locked funds.

Polygon did not clarify why the hack was not made public for 24 days. Representatives from the project did not respond to a request for comment.

Sign up for a Binance account here (Discount 10% trading fees): https://accounts.binance.com/en/register?ref=29171587

Read more:

Join us on Telegram

Follow us on Twitter

Follow us on Facebook

You might also like