Multisig Criticized by Polygon as Not Enough Secure – $5 Billion at Risk?
Polygon is probably the most popular alternative to direct transactions on the Ethereum base layer (L1), giving users the ability to transact quickly and with low fees. Polygon (MATIC) is best known as the Ethereum sidechain, i.e. the Ethereum Virtual Machine (EVM) compatible blockchain that runs its own validation nodes. However, the Polygon development team has also invested heavily in Layer 2 technology, offering services such as the zk-STARKs-based Miden scaling solution.
Of course, with success comes a responsibility to protect any funds users keep on the network. In a recent series of tweets, Justin Bons, founder and CEO of Cyber Capital, accused the Polygon development team of employing lax security measures that mostly revolve around multisig, the control function that controls the Polygon smart contract management key . According to Bons, it controls more than USD 5 billion in user funds.
“Polygon is currently not secure and centralized! It would only take five people to compromise over $5 billion! Four of these people are the founders of Polygon! This is one of the biggest hacks or scams just waiting to happen.”
The development team can take full control of Polygon
“Polygon’s smart contract governance key is governed by five of the eight multisig contracts. This means that the Polygon development team can gain complete control of the network with only 1 out of 4 contracts being out of the project’s control. The other four parties in the multisig were also selected by Polygon.
According to Bons, this also means that the other four parties are “not entirely fair”. Control of the contract management key is tantamount to the power to change the rules. Anything can happen, including the deletion of the entire Polygon contract.
Some criticism has also been directed at Polygon’s alleged lack of transparency. This isn’t the first time Polygon has been accused of this issue. DeFi Watch’s Chris Blec previously broadcast inquiry to the Polygon development team. However, Polygon did not respond to Blec’s request.
The Polygon development team has been vocal about the lack of transparency. The team previously posted report about multisig to clarify the issue. In response to Bons’ tweet, Polygon co-founder Mihailo Bjelic indirectly acknowledged concerns about multisig, as Polygon is “working to eliminate them.” Multisig is implemented in the “early phase” and is clearly not the ideal solution as the system grows.
“Multisig is considered the ultimate approach to protecting user funds in the early stages of development and is used by almost every scalable bridge project.”
Bjelic also cited the transparency report, in which he described a “plan to improve and eventually eliminate multisig,” which Bjelic also later explained in a Bons tweet.
Phishing is not a practical concern for Polygon
According to BjelicI, cheating isn’t really a problem for Polygon; Multisig is used to protect users from hacking and Polygon uses multisig in this way, contrary to what Bons claims.
According to Bons’ criticism, five of the eight multisigs were “completely inadequate” to protect up to $5 billion, and four of those eight multisigs were “awarded” to other parties chosen by Polygon. For Bons, this could pose the risk of collusion.
However, according to BjelicI, the other parties are “reputable Ethereum/Polygon projects and not selected by Polygon that have decided to participate.”
“The more people involved in creating the signature, the more difficult it is to coordinate them in case an immediate response is required. We try to find the right balance; and now have more participants than most other scaling projects,” BjelicI replied.
What should Polygon do?
In his tweet, Bons also shared some advice with the Polygon development team.
According to Bons, Polygon needs to run its own decentralized governance protocol based on Matic token holders. Currently, this is still too centralized under the DPoS (Delegated Proof of Stake) model with a small number of validators. Follow Data of Plygonscan, only four validators mined the majority of blocks in the last seven days.
Once Polygon has decentralized governance, they will need to share the smart contract governance key with Matic token holders, Bons suggested. This will most likely require a switch to a new smart contract from Polygon.
“It’s obviously very difficult and expensive. However, the project didn’t get it right from the start, and that’s the price they pay for the decentralization and security that comes with it. This is where the crypto market should be,” Bons tweeted.
In his response, BjelicI said that the proposed solution “is certainly the aim of the project as described in the transparency report. However, this increases the reaction time in case something goes wrong, so it will be taken care of and activated in stages.”
Join CoinCu Telegram to keep track of news: https://t.me/coincunews