A Hacker Stole $1.6M After Exploiting a Polygon Bug

Polygon deployed a stealth hard fork earlier this month to patch a critical bug.

Key Takeaways

Polygon was hardforked on Dec. 5 to patch a critical vulnerability in the MRC20 contract.

Before the hardfork, a hacker was able to steal 801,601 MATIC due to the bug.

Polygon has paid bounty rewards of about $3.46 million to ethical hackers who notified the team.

The core development team behind Polygon has revealed that a critical bug in one of its contracts was briefly exploited for $1.6 million.

Polygon Was Secretly Hardforked to Patch Critical Bug

Polygon, a Proof-of-Stake sidechain on Ethereum, has reported that a critical bug on the network was fixed via a hard fork on Dec. 5. Before the hardfork, an unknown hacker stole $1.6 million in MATIC tokens, the team revealed in a Thursday blog post, 24 days after the event.

In the first week of December, Leon Spacewalker and Whitehat2, two ethical hackers associated with bug bounty platform Immunefi, notified Polygon of a vulnerability. The bug was found in the transfer function of its MRC20 contract used for gasless transactions on the network.

After the bug was reported, Polygon patched it by leveraging a stealth hard fork working alongside all of its validators and node operators. Even though the vulnerability was fixed within a few days, it could not stop an unknown black hat hacker from stealing 801,601 MATIC tokens worth $1.6 million at the time. In a post-mortem, the team reported:

“Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect.”

The situation could have been far worse had this been delayed further. Immunefi, which assisted Polygon in deploying the fix, stated in a different blog post that if the Polygon bug had not been reported, malicious hackers could have drained roughly 9.2 billion MATIC tokens valued at about $20 billion at the time.

Commenting on the steps taken by the team to patch the vulnerability, Polygon co-founder Jaynti Kanani said the team “made the best decisions possible given the circumstances.”

Polygon has paid bounty rewards of about $3.46 million to the ethical hackers who reported the bug. In addition, the team said it will bear the cost of stolen MATIC tokens.

This was not the first time when a critical bug was discovered and patched on Polygon. In October 2021, Polygon patched a critical bug on its Plasma Bridge that had $850 million in locked funds.

Polygon did not clarify why the hack was not made public for 24 days. Representatives from the project did not respond to Crypto Briefing’s repeated requests for comment at press time.

Disclosure: At the time of writing, the author of this piece owned ETH, MATIC, and other cryptocurrencies.

Disclaimer Read More Read Less

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

Source: cryptobriefing.com