Hacker Used Exploit, Now Patched, to Steal $2 Million in Tokens
A vulnerability in Polygon, a framework used to build Ethereum-compatible blockchain networks, has been fixed.
See Also: Getting Started With CASB
The bug, found on Dec. 3 by white hat hackers at bug bounty platform Immunefi, would have put 9,276,584,332 MATIC, price almost $23 billion on the time, in danger, in keeping with Immunefi.
MATIC is the cryptocurrency used inside the Polygon community.
“Polygon’s core improvement workforce with assist from bug bounty platform Immunefi efficiently mounted a crucial community vulnerability. Contemplating the character of this improve, it needed to be executed with out attracting an excessive amount of consideration,” Polygon mentioned in a launch on Wednesday.
All you want to know concerning the latest Polygon community replace.
A safety companion found a vulnerability
Repair was instantly launched
Validators upgraded the community
No materials hurt to the protocol/end-users
White hats have been paid a bounty https://t.co/oyDkvohg33— Polygon | $MATIC(@0xPolygon) December 29, 2021
On Dec. 3, a gaggle of white hat hackers notified Immunefi – which hosts Polygon’s bug bounty program – concerning the vulnerability within the community’s proof-of-stake genesis contract, in keeping with the weblog put up.
Earlier than the Polygon workforce may deal with the vulnerability, a malicious hacker used the exploit to steal round 801,601 MATIC, price round $2 million on the time, the put up says.
Polygon says it’ll bear the price of the theft.
“All tasks that obtain any measure of success in the end discover themselves on this scenario,” says Jaynti Kanani, co-founder of Polygon. “What’s necessary is that this was a check of our community’s resilience in addition to our capability to behave decisively below strain. Contemplating how a lot was at stake, I consider our workforce has made the perfect selections doable given the circumstances.”
Polygon’s weblog put up says it was capable of “instantly” repair the vulnerability with the assistance of white hat hackers and Immunefi’s skilled workforce. The improve was applied on Dec. 5.
“The validator and full node communities have been notified, they usually rallied behind the core devs to improve 80% of the community inside 24 hours with out stoppage,” the put up says.
Polygon didn’t instantly reply to Data Safety Media Group’s request for technical particulars on the vulnerability and the precise dangers it posed.
The Vulnerability
Immunefi, in a Medium post, says that the vulnerability consisted of a scarcity of steadiness/allowance checks within the switch perform of Polygon’s MRC20 contract and would have allowed an attacker to steal all out there MATIC from that contract.
“The MRC20 normal is used primarily for the opportunity of transferring MATIC gaslessly, which, with Ether, is not possible to take action. When sending Ether, you’re making a transaction {that a} pockets must signal,” Immunefi says. “Gasless MATIC transfers are facilitated by the transferWithSig() perform. The consumer who owns the tokens indicators a bundle of parameters together with the operator, quantity, nonce and expiration.”
A gasless transaction is one during which a 3rd social gathering sends another person’s transaction and absorbs what known as the “fuel” price.
Immunefi didn’t instantly reply to Data Safety Media Group’s request for added particulars on the specs of the vulnerability and the method of its discovery.
Bug Bounty
Polygon paid a complete bounty of $3.46 million to 2 white hat hackers who found the bug, in keeping with the weblog put up. Leon Spacewalker, the primary white hat hacker to report the safety loophole on Dec. 3, might be rewarded with $2.2 million price of stablecoins, Immunefi says. It says the second hacker, who was solely known as Whitehat2, will obtain 500,000 MATIC (at present over $1.2 million) from Polygon.
Spacewalker didn’t reply to ISMG’s request for feedback.
Transparency Issues
Twitter is abuzz with considerations about how Polygon addressed the vulnerability.
Nathan Worsley, an MEV engineer and DeFi builder, tweeted: “Are all of us supposed to simply shut up and overlook about the truth that over per week in the past Polygon hard-forked their blockchain in the midst of the night time with no warning to a totally closed-source genesis and nonetheless have not verified the code or defined what’s going on?”
We are actually investing far more in safety and we’re making an effort to enhance safety practices throughout all Polygon tasks.
As part of this effort, we’re working with a number of safety researcher teams, whitehat hackers and many others. Considered one of these companions found a..
— Mihailo Bjelic (@MihailoBjelic) December 15, 2021
Polygon says there’s a “pure pressure between safety and transparency, each of that are the cornerstone values at Polygon.”
“Our preliminary disclosure was minimal as a result of we comply with the silent patches coverage launched and utilized by the Geth [an Ethereum software client] workforce. All in all, the core improvement workforce struck the absolute best steadiness between openness and doing what’s greatest for the neighborhood, companions and the broader ecosystem in dealing with this extraordinarily pressing and delicate subject. However you may be the choose of that,” Polygon says.
