On December 3, a white hat hacker submitted a report of a possible exploit on the Polygon network to Immunefi. Soon after, the Polygon team confirmed the critical vulnerability and initiated actions to upgrade the Mainnet at the earliest. As per the official announcement published on December 29, the bug has been successfully fixed.
All you need to know about the recent Polygon network update.
✅A security partner discovered a vulnerability
✅Fix was immediately introduced
✅Validators upgraded the network
✅No material harm to the protocol/end-users
✅White hats were paid a bounty https://t.co/oyDkvohg33— Polygon – MATIC 💜 (@0xPolygon) December 29, 2021
However, not without paying a price — 801,601 MATIC was stolen before the network upgrade went live. Polygon foundation will cover the loss, without letting the theft impact users. The cost is in addition to the $3.46 million paid as bounty to two white hats who shed light on the vulnerability.
Immunifi hosts Polygon’s $2 million bounty program. The leading Web3 bug bounty platform protects $100 billion in user funds. According to Immunefi’s CTO Duncan Townsend, “tight coordination with the Polygon validators helped avert what could’ve been a major disaster”. The Polygon team informed Validators of an ‘Emergency Bor Upgrade for Mainnet’ on December 4 and executed the Mainnet update for +90% validators at Block #22156660 the next day.
What took Polygon so long to make the announcement
Polygon waited days to go public about the critical bug and the consequent network update, in line with the “silent patches” policy. Although the validator and full node communities were notified along with core devs, most of the work was under wraps, possibly not to draw attention from malicious hackers.
“This was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances,” says Polygon co-founder Jaynti Kanani.
In the days that followed the update, an extensive probe was initiated into the incident. Not just in an attempt to discover the root causes, but also to improve the existing system bringing more resilient measures into action. This includes updating the critical response processes, consolidating partner contact info and communications channels, and identifying and formalizing backups for key internal resources to combat time-sensitive threats.
The blog concludes by emphasizing the importance of investing into an ecosystem of security expert partners.
