Polygon hacked for over 800,000 MATIC

Summary

In early December 2021, Polygon, an Ethereum-based network has “silently fixed” a vulnerability that had put its native MATIC tokens worth $24 billion at risk. The issue came to light after a group of ethical hackers informed Immunefi, a bug bounty platform associated with decentralised finance (DeFi). Immunefi hosts the bug bounty for the Polygon network. Both white hat hackers who helped discover the bug were compensated a combined total of $3.46 million as part of the bug bounty program. However, before the recommended upgrade, other hacker(s) were able to steal 801,601 MATIC tokens, making up for around $2.4 million in terms for the date of the hack.

Attackers

The perpetrators remain unidentified.

Losses

The hackers carted away with 801,601 MATIC tokens before the vulnerability was fixed.

Timeline

  • December 3, 2021: A group of whitehat hackers notified Immunefi, which hosts Polygon’s bug bounty, of a vulnerability in the Polygon PoS genesis contract.
  • December 4, 2021: Polygon team, White hackers, and Immunefi worked hard to fix the vulnerability and started preparation to bring the necessary update. However, the hackers were quick to notice the movement in the network and stole 801,601 MATIC tokens.
  • December 5, 2021, 7:27 AM UTC: The upgrade was completed, and the vulnerability was fixed at block 22,156,660 via an ‘Emergency Bor Upgrade’ to the mainnet. The upgrade was in response to a critical vulnerability discovered by whitehat hackers.
  • December 30, 2021: The earliest article reporting the hack was published.

Security Failure Causes

The main reason for the attack was a bug in the Polygon Plasma bridge, a two-way token gateway that allows users to transfer assets from the Polygon network to the Ethereum mainnet and back.