Yesterday, Polygon revealed that it had performed a hard fork to fix a bug it deemed critical.
Hard fork for Polygon
A post on the official blog, in fact, revealed that on December 5 was made an update to the Polygon protocol.
The hard fork was necessary to fix a network vulnerability of the protocol, critical enough to require that the update was performed without attracting too much attention.
The vulnerability was discovered by a group of whitehat hackers and disclosed to Immunefi, which hosts Polygon’s bug bounty. It was a vulnerability related to the Polygon PoS genesis contract dated December 3.
The fix was applied immediately, so much so that 80% of the network was updated within 24 hours of the update start.
This update did not affect network functionality or performance in any way.
Therefore, the vulnerability is now resolved without material damage to the protocol or its end-users. Note that the price of the MATIC token on the market seems not to have been significantly affected by the issue.
Hack for Polygon
However, a malicious hacker exploited the vulnerability to steal 801,601 MATIC (about $2 million) before the update took effect. However, the cost of this theft will be borne entirely by the Polygon Foundation.
According to some analysts, this exploit could have allowed the total theft of over 9.2 billion MATIC tokens (over $24 billion) out of a total supply of 10 billion. In fact, the bug could have allowed attackers to arbitrarily coin all of Polygon’s more than 9.2 billion MATIC tokens on the MRC20 contract.
In addition, Polygon paid approximately $3.46 million to the whitehat hackers who discovered the bug.
An extensive analysis of the incident was then conducted, uncovering several processes that can still be improved and some actions that can make the network more resilient in the future.
Polygon co-founder Jaynti Kanani said:
“All projects that achieve any measure of success sooner or later find themselves in this situation. What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.”
Immunefi Chief Technology Officer Duncan Townsend added:
“The Polygon team’s response to this disclosure was swift and effective. That this incident had a happy ending is a testament to their expertise. Tight coordination with the Polygon validators helped avert what could’ve been a major disaster.”