Posts

With $24 Billion Matic Vulnerable Polygon Quietly Fixes the Code

avatar of @kevinnag58
25
kevinnag58
@kevinnag58
·
·
0 views
·
3 min read

Introduction

Following the 'silent patches' policy, Polygon has reported it has fixed the current code bug behind closed doors. This policy was first introduced in 2020 by the Go Ethereum team under which the subject project reports their key code bug corrections four to eight weeks following the fix implementation. The purpose behind the reporting delay is to reduce the risk of being exploited during the 'patching' procedure.

So this is why we did not learn of this mainstream until December 29th in a blog post from Polygon.

Details of the Vulnerability

As per the Polygon blog, a vulnerability was highlighted in the network's Genesis PoS contract. This vulnerability was brought forward by two different whitehat hackers on December 3 and December 4 through Immunefi (Polygon's bug bounty hosting platform).

At risk due to this vulnerability was more than 9.27 billion Matic valued at approximately $23.6 Billion. The figure of 9.27 billion Matic at risk is highly significant given the total supply of the token is 10 billion Matic.

The Fix and the Aftermath

The Timeline as Submitted by Polygon

Dec. 3, 10:11 (UTC) The first white hat hacker submits a report of a possible exploit to Immunefi, which hosts Polygon’s $2 million bounty program. Dec. 3, 16:18 (UTC)Polygon confirms the vulnerability. Within one hour, various options are considered. The decision is made to upgrade the mainnet as soon as possible. Dec. 3, 20:18 (UTC)The Polygon team provides release Bor v0.2.12-beta1 to validators on Mumbai testnet at Block #22244000.
Dec. 4, 04:26 (UTC)Mumbai update is complete. The Polygon team, white hat and Immunefi validate the fix and prepare for the update of the mainnet. Dec. 4, 13:46 (UTC)The vulnerability is used to steal MATIC tokens, the first in a series of transfers that removes 801,601 MATIC in total. Dec. 4, 18:53 (UTC)The second white hat submits a report to Immunefi. Dec. 4, 21:08 (UTC)The Polygon team informs Validators of an “Emergency Bor Upgrade for Mainnet.” Dec. 5, 07:27 (UTC)Mainnet update is complete for +90% validators at Block #22156660.

[Polygon. All You Need to Know About the Recent Network Upgrade. (Accessed December 31, 2021)].

Commentary on the Fix and the Aftermath

Polygon reported that by using an 'Emergency Bor Upgrade' to it's mainnet at approximately 07:27 UTC on December 5 the vulnerability was repaired. This occurred at block 22,156,660. Polygon also noted that the nefarious hacker was able to exploit 801,601 MATIC ($2.04 million) before the fix was implemented. Polygon, in it's blog post, noted:

The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage.

[Id.]

'The Polygon team’s response to this disclosure was swift and effective,' said Immunefi's Chief Technology Officer Duncan Townsend. 'That this incident had a happy ending is a testament to their expertise. Tight coordination with the Polygon validators helped avert what could’ve been a major disaster.'

[Id.]

Co-founder of Polygon, Jaynti Kanani, likewise emphasized the prompt resolution of the vulnerability by the network, stating in the blog post:

What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.

[Id.]

According to Immunefi, the two whitehat hackers will be compensated per the bug bounty as follows:

Polygon is paying out a bounty of $2.2m in stablecoins to Leon Spacewalker and 500,000 MATIC to Hacker2, which according to current market value is worth $1,262,711. The $2.2m exceeds the maximum value of Polygon’s critical bounty in recognition of the severity of the vulnerability.

[Immunefi. Polygon Lack Of Balance Check Bugfix Postmortem — $2.2m Bounty. (Accessed December 31, 2021)].

A small sum to pay given the risk of loss evident in this vulnerability.

Conclusion

While at first blush the 'silent patches' policy appears a bit shady as it inhibits disclosure, its purpose is sound. It protects the platform and its users and investors from additional loss while the vulnerability is addressed and rectified.

The instant vulnerability discussed herein could have been devastating to the Polygon network had the same not have been promptly and efficiently addressed and rectified. Likewise, the ultimate transparency by the network concerning the vulnerability is to be applauded.

It should be noted that the Polygon Foundation will be covering all losses incurred as a result of this exploit.

All in all, this is a testament to a job well done by the team at Polygon (and Immunefi) in addressing this problem.

Posted Using LeoFinance Beta