Earlier this month, the popular Ethereum (ETH) layer-2 solution Polygon (MATIC) carried out a hard-fork, though in silence and with no official explanation. Now, exactly 24 days later, it justified its actions in a postmortem, citing a critical vulnerability that could have drained the network of MATIC 9.3bn (USD 23.56bn at current rates).
“Considering the nature of this upgrade, it had to be executed without disclosing the actual vulnerability and without attracting too much attention,” said Jaynti Kanani, co-founder and CEO of Polygon, adding that they are trying to follow the “silent patches” policy.
Further detailing on the incident, the Polygon team said that a whitehat hacker named Leon Spacewalker reported the vulnerability on December 3. Following the report, in coordination with Immunefi, a major bug bounty platform for decentralized finance (DeFi) projects, the team investigated blockchain activity, validated a fix, and hard-forked on December 5.
“The validator and full node communities were notified, and they rallied behind the core devs to upgrade the network. The upgrade was executed within 24 hours, at block #22156660, on Dec. 5,” Kanani said.
In mid-December, several Polygon community members took to Twitter to express their frustration and bewilderment about the update, asking the team for some explanation. Considering that Polygon, currently ranked 14 in terms of market capitalization, is not an obscure crypto project, the sudden hard fork was worrying to some.
“Are we all supposed to just shut up and forget about the fact that over a week ago Polygon hard-forked their blockchain in the middle of the night with no warning to a completely closed-source genesis and still haven’t verified the code or explained what is going on?,” one user said.
In response, ostensibly for the first time, Polygon co-founder Mihailo Bjelic said that the unscheduled hard-fork was due to “a vulnerability in one of the recently verified contracts,” disclosing no further details.
Apparently, not all of the Polygon node operators, who are responsible for running the network software, were aware of the hard-fork as some allegedly woke up to their nodes disconnected.
Meanwhile, the team aims to pay out a bounty of USD 2.2m in stablecoins to the whitehat Spacewalker, and another MATIC 500,000 (USD 1.2m) to “Whitehat2,” who had “submitted a report on December 4 referencing the same vulnerability.”
While the team managed to prevent what could have been the largest exploit in DeFi history, some bad actors exploited the vulnerability prior to the update and ran away with a portion of user funds.
“Additionally, a blackhat–or a set of blackhats–managed to steal 801,601 MATIC tokens using the same exploit before the fix was implemented,” Polygon said. This is currently worth over USD 2m.
As of now, the title of the largest hack in DeFi history belongs to Poly Network, which lost over USD 600m in an exploit back in August.
At 8:33 UTC Wednesday morning, MATIC is trading at USD 2.54, down by 5.6% over the past 24 hours. The coin is up by 54% in a month and by 13,285% in a year, according to CoinGecko.
– Polygon Makes USD 400M Bet On Ethereum Scaling, Pepsi Goes NFT + More News
– Watch: Polygon’s Co-founder On ‘Holy Grail’ of Scaling, Ethereum Merge, NFTs, and More
– Polygon Flips Ethereum in Daily Transactions, Price Hits All-Time High
– Santa Hackathon? Visor Finance Marks 7th Hack in December