Polygon identified a critical vulnerability in its network that hackers could exploit to steal all of its MATIC tokens worth $24 billion.
Polygon, an Ethereum-based blockchain protocol and framework, said on December 29 that a serious flaw in its network had exposed $24 billion worth of its native token MATIC to danger. In a blog post released on Wednesday, the firm notified about the potential scope of the vulnerability and its fix. According to the blog, Polygon and Immunefi, a leading bug bounty platform, collaborated to launch the fix. The firm also says that owing to the nature of the bug, they had to do the patch-up covertly. However, once the fix was in place & validated, it decided to release a statement of all that took place.
Immunefi also released a postmortem report detailing the features of the network vulnerability and its fix. As per the report, two white hat hackers were the first to notice the flaw and report it to immunefiy. Once the patch was released, Polygon paid the two hackers bounties of $2.2 Million and 500,000 MATIC tokens ($1.2 million) respectively. The bounty amounts, according to Polygon, far surpass their usual bounty limits. However, citing the criticality of the vulnerability, Polygon deemed it right to pay the huge amount to the hackers.
The Polygon Bug that Put all of MATIC at Stake
On December 3 a Whitehat hacker, who goes by the name Leon Spacewalker, informed Immunefi about the network bug. From what the hacker informed, the bounty firm surmised that the bug was related to the MRC20 contract. MRC20 is a contract on the Polygon network that MATIC owners can use to transfer the token “gaslessly”.
The postmortem report says that attackers could use the MRC20 contract to mint a random number of tokens. This means that the vulnerability attackers could steal all 9,276,584,332 MATIC tokens on the Polygon network.
As soon as Polygon was notified of the exploit, it took immediate action and released a fix within hours. However, before they could apply the fix, blackhat hackers stole 801,601 MATIC tokens. The company says that it will bear the cost of the loss. Polygon’s co-founder Jayant Kanai stated that this incident was a test of the Polygon network’s defences. Furthermore, he praised his team for taking timely action and avoiding a major disaster.