Polygon upgrade quietly fixes bug that put $24B of MATIC at risk

“Given the stakes, I believe our team made the best decisions possible given the circumstances,” said Polygon co-founder Jaynti Kanani.

Layer-two scaling network based on Ethereum Polygon has quietly patched a flaw that put nearly $24 billion in its native token, MATIC, at risk.

According to a Polygon blog post published on Wednesday, the “critical” vulnerability in the network’s proof-of-stake Genesis contract was discovered by two whitehat hackers on December 3 and 4 via the blockchain security and bug bounty hosting platform Immunefi.

The flaw put more than 9.27 billion MATIC at risk, worth around $23.6 billion at the time of writing, representing the vast majority of the token’s total supply of 10 billion.

The bug was fixed at block 22,156,660 via a “Emergency Bor Upgrade” to the mainnet on December 5 at around 7:27 a.m. UTC, according to Polygon. Before the bug was fixed, a “malicious hacker” stole 801,601 MATIC ($2.04 million), according to the network. According to the blog post:

“The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage.”

According to Polygon, the issue was resolved behind closed doors in accordance with the Go Ethereum team’s “silent patches” policy, which was implemented in November 2020. According to the guidelines, projects or developers must report on key bug fixes four to eight weeks after they go live in order to avoid being exploited during patching.

According to Immunefi, whitehat hacker “Leon Spacewalker” was the first to report the security hole on December 3 and will be rewarded with $2.2 million in stablecoins for their efforts, while Polygon will reward the second unnamed hacker, referred to as “Whitehat2,” with 500,000 MATIC ($1.27 million).

Polygon co-founder Jaynti Kanani emphasised the network’s ability to quickly resolve the critical bug in a blog post, noting that:

“What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.”

According to CoinGecko data, MATIC is currently priced at $2.45 and is up 35.1 percent in the last 30 days, despite the current downturn in major crypto assets this month.