Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

Polygon Bug Put $23 Billion in Cryptocurrency at Risk

Hacker Used Exploit, Now Patched, to Steal $2 Million in Tokens
Polygon Bug Put $23 Billion in Cryptocurrency at Risk
(Source: Polygon)

A vulnerability in Polygon, a framework used to build Ethereum-compatible blockchain networks, has been fixed.

See Also: Live Webinar | Remote Employees & the Great Resignation: How Are You Managing Insider Threats?

The bug, discovered on Dec. 3 by white hat hackers at bug bounty platform Immunefi, would have put 9,276,584,332 MATIC, worth nearly $23 billion at the time, at risk, according to Immunefi.

MATIC is the cryptocurrency used within the Polygon network.

"Polygon’s core development team with help from bug bounty platform Immunefi successfully fixed a critical network vulnerability. Considering the nature of this upgrade, it had to be executed without attracting too much attention," Polygon said in a release on Wednesday.

On Dec. 3, a group of white hat hackers notified Immunefi - which hosts Polygon’s bug bounty program - about the vulnerability in the network's proof-of-stake genesis contract, according to the blog post.

Before the Polygon team could address the vulnerability, a malicious hacker used the exploit to steal around 801,601 MATIC, worth around $2 million at the time, the post says.

Polygon says it will bear the cost of the theft.

"All projects that achieve any measure of success sooner or later find themselves in this situation," says Jaynti Kanani, co-founder of Polygon. "What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances."

Polygon's blog post says it was able to "immediately" fix the vulnerability with the help of white hat hackers and Immunefi’s expert team. The upgrade was implemented on Dec. 5.

"The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage," the post says.

Polygon did not immediately respond to Information Security Media Group's request for technical details on the vulnerability and the specific risks it posed.

The Vulnerability

Immunefi, in a Medium post, says that the vulnerability consisted of a lack of balance/allowance checks in the transfer function of Polygon’s MRC20 contract and would have allowed an attacker to steal all available MATIC from that contract.

"The MRC20 standard is used mainly for the possibility of transferring MATIC gaslessly, which, with Ether, is impossible to do so. When sending Ether, you’re making a transaction that a wallet needs to sign," Immunefi says. "Gasless MATIC transfers are facilitated by the transferWithSig() function. The user who owns the tokens signs a bundle of parameters including the operator, amount, nonce and expiration."

A gasless transaction is one in which a third party sends someone else's transaction and absorbs what is called the "gas" cost.

Immunefi did not immediately respond to Information Security Media Group's request for additional details on the specifications of the vulnerability and the process of its discovery.

Bug Bounty

Polygon paid a total bounty of $3.46 million to two white hat hackers who discovered the bug, according to the blog post. Leon Spacewalker, the first white hat hacker to report the security loophole on Dec. 3, will be rewarded with $2.2 million worth of stablecoins, Immunefi says. It says the second hacker, who was only referred to as Whitehat2, will receive 500,000 MATIC (currently over $1.2 million) from Polygon.

Spacewalker didn’t respond to ISMG's request for comments.

Transparency Concerns

Twitter is abuzz with concerns about how Polygon addressed the vulnerability.

Nathan Worsley, an MEV engineer and DeFi builder, tweeted: "Are we all supposed to just shut up and forget about the fact that over a week ago Polygon hard-forked their blockchain in the middle of the night with no warning to a completely closed-source genesis and still haven't verified the code or explained what is going on?"

Polygon says there is a "natural tension between security and transparency, both of which are the cornerstone values at Polygon."

"Our initial disclosure was minimal because we follow the silent patches policy introduced and used by the Geth [an Ethereum software client] team. All in all, the core development team struck the best possible balance between openness and doing what is best for the community, partners and the broader ecosystem in handling this extremely urgent and sensitive issue. But you can be the judge of that," Polygon says.


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.