Polygon Dodges a Bullet: Patches a Bug That Put $24 Billion Worth of MATIC at Risk

Bugs and vulnerabilities are part of a blockchain network. Polygon revealed how it dodged a bullet after detecting a vulnerability, introduced a fix, upgraded the network, paid off a bounty to the whitehat hackers, all with a silent patch.

Polygon’s Silent Patch

According to the latest blog post by the team, it all started when two whitehat hackers informed the bug bounty platform, Immunefi of an issue in the Polygon PoS genesis contract on December 3rd. The vulnerability in question could have enabled malicious entities to siphon off over 9.2 billion MATIC tokens (worth approximately $24 billion) out of MATIC’s total supply of 10 billion.

Following this, Polygon’s core team joined forces with the whitehat hackers, as well as Immunefi, to introduce a fix by upgrading 80% of the network within 24 hours without halting.

Even as the bug was fixed at block 22,156,660 on December 5th, without impacting the network in any way, an attacker was able to steal 801,601 MATIC right before the upgrade was carried out. The foundation stated that it will bear the cost of the theft.

Besides, Polygon paid a generous sum of about $3.46 million as bounty to the two white hats.

The foundation also revealed that the bug was fixed without notifying the community as it follows a “silent patches” policy. Interestingly, this policy was established by the Go Ethereum team, known as Geth, last year.

While speaking about how Polygon managed to avert high-scale damage, Immunefi’s CTO Duncan Townsend said,

“The Polygon team’s response to this disclosure was swift and effective. That this incident had a happy ending is a testament to their expertise. Tight coordination with the Polygon validators helped avert what could’ve been a major disaster.”

A Worrying Trend

The year witnessed big changes for the blockchain and the cryptocurrency industry. It has managed to attract a fair share of attackers along the way that has caused significant financial damage. The age-old risks still hold true – where there’s money, the malicious entities will try to steal it.

According to the recent stats, attackers managed to get away with over $4 billion worth of cryptocurrencies this year, nearly 3x compared to 2020. DeFi protocols alone accounted for $1.4 billion of the total crypto funds lost.