Ethereum-based layer-two scaling network Polygon was recently notified of a bug that potentially had put $24B worth of MATIC at risk, but after getting help from bug bounty platform Immunefi, the bug that is part of critical network vulnerability is now fixed.
As the tweet from Polygon mentions, things are back to normal and the risk was not exploited, so everything is safe as it was.
✅A security partner discovered a vulnerability
✅Fix was immediately introduced
✅Validators upgraded the network
✅No material harm to the protocol/end-users
✅White hats were paid a bounty
A group of Whitehat hackers notified Immunefi about this vulnerability in the Polygon PoS genesis contract on Dec. 3.
The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. The validator and full node communities were notified, and they rallied behind the core devs to upgrade 80% of the network within 24 hours without stoppage.
Polygon paid a total of about $3.46 million as bounty to two white hats who helped discover the bug. Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft.
“The Polygon team’s response to this disclosure was swift and effective,” said Immunefi’s Chief Technology Officer Duncan Townsend. “That this incident had a happy ending is a testament to their expertise. Tight coordination with the Polygon validators helped avert what could’ve been a major disaster.”