A Hacker Stole $1.6M After Exploiting a Polygon Bug

Key Takeaways

Polygon was hacked for 801,601 MATIC tokens in early December due to a critical bug.
The network was hardforked on Dec. 5 to patch the critical vulnerability.
Polygon has paid bounty rewards of about $3.46 million to ethical hackers who notified the team.

Share this article

The core development team behind Polygon has revealed that a critical bug in one of its contracts was briefly exploited for $1.6 million.

Polygon Was Secretly Hardforked to Patch Critical Bug

Polygon, a Proof-of-Stake sidechain on Ethereum, was briefly hacked earlier this month due to a bug later fixed via a hard fork on Dec. 5. Before the hard fork, an unknown hacker stole $1.6 million in MATIC tokens, the team revealed in a Thursday blog post, 24 days after the event.

In the first week of December, Leon Spacewalker and Whitehat2, two ethical hackers associated with bug bounty platform Immunefi, notified Polygon of a vulnerability. The bug was found in the transfer function of its MRC20 contract used for gasless transactions on the network.

After the bug was reported, Polygon patched it by leveraging a stealth hard fork working alongside all of its validators and node operators. Even though the vulnerability was fixed within a few days, it could not stop an unknown black hat hacker from stealing 801,601 MATIC tokens worth $1.6 million at the time. In a post-mortem, the team reported:

“Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect.”

The situation could have been far worse had this been delayed further. Immunefi, which assisted Polygon in deploying the fix, stated in a different blog post that if the Polygon bug had not been reported, malicious hackers could have drained roughly 9.2 billion MATIC tokens valued at about $20 billion at the time.

Commenting on the steps taken by the team to patch the vulnerability, Polygon co-founder Jaynti Kanani said the team “made the best decisions possible given the circumstances.”

Polygon has paid bounty rewards of about $3.46 million to the ethical hackers who reported the bug. In addition, the team said it will bear the cost of stolen MATIC tokens.

This was not the first time when a critical bug was discovered and patched on Polygon. In October 2021, Polygon patched a critical bug on its Plasma Bridge that had $850 million in locked funds.

Polygon did not clarify why the hack was not made public for 24 days. Representatives from the project did not respond to the request for comment.

Disclosure: At the time of writing, the author of this piece owned ETH, MATIC, and other cryptocurrencies.

Share this article

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

Polygon Swerves $850M Hack on Ethereum Bridge

Polygon has patched a critical vulnerability that affected its Plasma Bridge. Polygon Pays $2 Million Bounty Ethereum sidechain Polygon has patched a critical bug on its Plasma Bridge contract. A…

Uniswap Deploys on Polygon

Uniswap, one of Ethereum’s largest decentralized exchanges, has been deployed on Polygon. Uniswap Now On Polygon Uniswap, one of the largest decentralized exchanges on Ethereum, has launched on Polygon. Polygon…

Polygon Sets New All-Time High Amid Market Recovery

Polygon has broken past its previous all-time high of $2.62 following a 64% rally over the past month.  Polygon Makes New Highs Polygon is closing out 2021 in bullish form….

A Guide to Yield Farming, Staking, and Liquidity Mining

Yield farming is arguably the most popular way to earn a return on crypto assets. Essentially, you can earn passive income by depositing crypto into a liquidity pool. You can think of these liquidity…


Recommended For You

About the Author: wp4crypto

Leave a Reply

Your email address will not be published.