Ethereum scaling project Polygon was at risk of losing nearly all of its MATIC tokens until it upgraded its network earlier this month.
The problem was a “critical” vulnerability in Polygon’s proof-of-stake genesis contract, which could have allowed attackers to steal over 9.2 billion MATIC tokens (currently worth over $24 billion). The total supply of MATIC tokens is 10 billion.
The vulnerability was reported on the bug bounty platform Immunefi by a whitehat hacker known as Leon Spacewalker. According to details shared Wednesday, the bug essentially could have allowed attackers to arbitrarily mint all of Polygon’s more than 9.2 billion MATIC tokens from its MRC20 contract.
After Spacewalker found the bug, Immunefi informed the Polygon team the same day. The team then confirmed the vulnerability and moved to update the Polygon network, initially with an update for its Mumbai testnet.
According to Polygon, the testnet update was completed on December 4, and the team was preparing for the mainnet upgrade. Yet before the mainnet upgrade was undertaken, a malicious actor exploited the bug and stole 801,601 MATIC tokens (currently worth over $2 million). Polygon has said it will bear the cost of the theft.
After the MATIC tokens were stolen, a second whitehat hacker (who remains anonymous) discovered the vulnerability and submitted a report to Immunefi. Polygon then released an emergency upgrade for its mainnet, with the hard fork taking place on December 5.
Though details of the incident wouldn’t be released until December 29, chatter on social media in mid-December emerged about Polygon’s silent, zero-warning hard fork.
At the time, Polygon co-founder Mihailo Bjelic said that there was a vulnerability and that the team would release additional details. “We are now investing much more in security and we’re making an effort to improve security practices across all Polygon projects,” he wrote at the time.
As for why the project waited until now to disclose the bug, Polygon said it follows a “silent patches” policy introduced and used by Geth (an Ethereum software client) team, explaining:
“All in all, the core development team struck the best possible balance between openness and doing what is best for the community, partners and the broader ecosystem in handling this extremely urgent and sensitive issue. But you can be the judge of that.”
The Polygon team awarded bug bounties worth roughly $3.46 million, with Spacewalker receiving $2.2 million worth of stablecoins, and the anonymous whitehat hacker receiving 500,000 MATIC tokens (currently worth over $1.27 million).
The market for MATIC doesn’t appear to have been affected by the bug news, with the token trading at around $2.59 as of press time.