Polygon Discloses Patched Exploit That Put 9B MATIC at Risk

“There is a natural tension between security and transparency,” Polygon’s team said in a Wednesday blog post.

AccessTimeIconDec 29, 2021 at 9:58 p.m. UTC
Updated Dec 29, 2021 at 10:27 p.m. UTC

Danny is CoinDesk's deputy business editor. He owns BTC, ETH and SOL.

A hacker who helped Polygon avert a multibillion-dollar disaster in early December won a $2.2 million bug bounty, the blockchain network said Wednesday.

The so-called “white hat,” known as “Leon Spacewalker” on Twitter and GitHub, reported an exploit in a critical Polygon smart contract that held more than 9 billion MATIC tokens on Dec. 3, then worth around $20.2 billion. Core developers rushed a fix by Dec. 5.

It wasn’t fast enough to protect all the contract’s funds, according to Immunefi, the crypto security startup that managed Polygon’s bug bounty program. Separate hackers pilfered 801,601 MATIC tokens (then worth around $1.4 million) on Dec. 4. Polygon Foundation said it took the hit.

Still, the fix, a hard fork live across 90% of network validators by Block #22156660, according to Polygon’s timeline of events, protected a massive trove of funds for the Ethereum scaling tool. Polygon hadn’t publicly discussed the reasoning for the hard fork before Wednesday.

Consulting the record

CoinDesk reviewed the Polygon Discord server’s validator channel on Dec. 5. It contained multiple validators expressing anger over the core developers’ silence on pushing what is usually a major and well-publicized software upgrade through the shadows.

Indeed, the abrupt hard fork had spillover effects for the network as validators unprepared for the shift were knocked offline, according to the Discord logs.

Polygon’s developers acknowledged on Wednesday their initial silence created a precarious position. “There is a natural tension between security and transparency,” the team said in its blog post. They said a “minimal” initial disclosure followed the Ethereum community’s “silent patch” standard.

“What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure,” co-founder Jaynti Kanani said in a blog post. “Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.”

Polygon’s bug bounty program awarded Leon Spacewalker $2.2 million in stablecoins; a different white hat who reported the same bug after the initial thefts won 500,000 MATIC.

Spacewalker didn’t respond to CoinDesk by press time.

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Danny is CoinDesk's deputy business editor. He owns BTC, ETH and SOL.

CoinDesk - Unknown

Danny is CoinDesk's deputy business editor. He owns BTC, ETH and SOL.

Trending

1
CoinDesk - Unknown
First Mover Asia: Bitcoin Holds Above $21K in Weekend Trading; Solana Web3 Phone Faces Long Odds

Ether stays over $1,200; prior blockchain phones have failed because the market has realized their functionalities are already available via apps that can be loaded onto any old phone.

CoinDesk - Unknown
2
CoinDesk - Unknown
Opaque Platforms and Intertwined Protocols Pose Big Risk to Crypto

Second article in a series about risks we’re thinking about during these crypto down days.

CoinDesk - Unknown
3
CoinDesk - Unknown
Putin Weaponizes Inflation

Examining a recent propaganda speech from the Russian leader.

CoinDesk - Unknown
4
CoinDesk - Unknown
Morgan Creek Is Trying to Counter FTX’s BlockFi Bailout, Leaked Call Shows

FTX’s $250 million credit facility offer – if inked as initially proposed – stood to effectively wipe out all BlockFi shareholders, including Morgan Creek Digital, the firm told its investors.

CoinDesk - Unknown