Key Takeaways

  • Polygon was hardforked on Dec. 5 to patch a critical vulnerability in the MRC20 contract.
  • Before the hardfork, a hacker was able to steal 801,601 MATIC due to the bug.
  • Polygon has paid bounty rewards of about $3.46 million to ethical hackers who notified the team.

Share this article

The core development team behind Polygon has revealed that a critical bug in one of its contracts was briefly exploited for $1.6 million.

Polygon Was Secretly Hardforked to Patch Critical Bug

Polygon, a Proof-of-Stake sidechain on Ethereum, has reported that a critical bug on the network was fixed via a hard fork on Dec. 5. Before the hardfork, an unknown hacker stole $1.6 million in MATIC tokens, the team revealed in a Thursday blog post, 24 days after the event.

In the first week of December, Leon Spacewalker and Whitehat2, two ethical hackers associated with bug bounty platform Immunefi, notified Polygon of a vulnerability. The bug was found in the transfer function of its MRC20 contract used for gasless transactions on the network.

After the bug was reported, Polygon patched it by leveraging a stealth hard fork working alongside all of its validators and node operators. Even though the vulnerability was fixed within a few days, it could not stop an unknown black hat hacker from stealing 801,601 MATIC tokens worth $1.6 million at the time. In a post-mortem, the team reported:

“Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect.”

The situation could have been far worse had this been delayed further. Immunefi, which assisted Polygon in deploying the fix, stated in a different blog post that if the Polygon bug had not been reported, malicious hackers could have drained roughly 9.2 billion MATIC tokens valued at about $20 billion at the time.

Commenting on the steps taken by the team to patch the vulnerability, Polygon co-founder Jaynti Kanani said the team “made the best decisions possible given the circumstances.”

Polygon has paid bounty rewards of about $3.46 million to the ethical hackers who reported the bug. In addition, the team said it will bear the cost of stolen MATIC tokens.

This was not the first time when a critical bug was discovered and patched on Polygon. In October 2021, Polygon patched a critical bug on its Plasma Bridge that had $850 million in locked funds.

Polygon did not clarify why the hack was not made public for 24 days. Representatives from the project did not respond to the request for comment.

Disclosure: At the time of writing, the author of this piece owned ETH, MATIC, and other cryptocurrencies.

Share this article