Here’s the story: Polygon released its $ 1.6 million exploit 25 days ago
The core development team behind Polygon has revealed that a fatal flaw in their contract gave the hacker an opportunity to withdraw $ 1.6 million.
Critical vulnerability in polygon patches
Polygon, a proof-of-stake sidechain on Ethereum, reported that a critical bug in the network was fixed by a hard fork on December 5th. In front of the hard fork, an unknown hacker stole 1.6 million US dollars in MATIC, as the team revealed in a blog post on Thursday, 25 days after the event.
In the first week of December, Leon Spacewalker and Whitehat2, two ethical hackers associated with the immunefi bug bounty platform, informed Polygon of a security breach. The bug was found in the transfer function of the MRC20 contract, which is used for gasless transactions in the network.
After the bug was reported, Polygon patched it using a hidden hard fork that worked in conjunction with all of the validators and node operators. Although the vulnerability was fixed within a few days, it couldn’t stop an anonymous black hat hacker from stealing $ 1.6 million worth of 801,601 MATIC at the time. During their in-depth investigation, the research team reported:
“Despite our best efforts, a malicious hacker was able to exploit the vulnerability to steal 801.601 MATIC before the network upgrade took effect.”
The situation could get much worse if the vulnerability is not identified and patched in a timely manner. Immunefi, the company that helped Polygon deliver the fix, stated in another blog post that if the Polygon bug didn’t, hackers could take away approximately 9.2 billion MATIC, valued at an estimated $ 20 billion would be reported.
As for the steps the team was taking to address the vulnerability, Polygon co-founder Jaynti Kanani said the team had “made the best decision possible, given the circumstances.”
Polygon spent $ 3.46 million on the ethical hacker who reported the bug. In addition, the team says it will pay for the stolen MATIC numbers.
This is not the first time a critical bug has been discovered and patched on Polygon. In October 2021, Polygon fixed a critical bug on the Plasma Bridge that had tied up $ 850 million in funds.
Polygon has not yet given a reason why the hack has not been made public in the last 25 days.
Join Bitcoin Magazine Telegram to keep track of news and comment on this article: https://t.me/coincunews