A “critical” vulnerability that risked $24 billion in user funds was quietly patched earlier this month by developers at Polygon, a scaling framework for Ethereum—though not before one attacker was able to steal $1.8 million in Polygon’s MATIC token.
The exploit was shared by white hat hackers on bug bounty platform ImmuneFi on December 3. An upgrade was initiated within 48 hours and, in a blog post Wednesday, the Polygon team explained that they chose not to reveal the incident until it was patched.
“Considering the nature of this upgrade, it had to be executed without attracting too much attention,” they wrote.
If left unaddressed, the smart contract vulnerability would have allowed attackers to mint more than 9.2 billion MATIC tokens (from a total supply of 10 billion) from its genesis contract. But Polygon’s prompt upgrade execution meant that no user funds were lost, and the upgrade was completed without a hitch.
All you need to know about the recent Polygon network update.
✅A security partner discovered a vulnerability
✅Fix was immediately introduced
✅Validators upgraded the network
✅No material harm to the protocol/end-users
✅White hats were paid a bounty https://t.co/oyDkvohg33
— Polygon | $MATIC 💜 (@0xPolygon) December 29, 2021
$2 million in MATIC stolen
However, the quick-fix hard fork didn’t come soon enough to prevent one malicious attacker from using the exploit to steal over 800,000 MATIC (then worth around $1.8 million), before the patch was instituted—a loss that Polygon Foundation said it would cover.