Polygon deploys a fix to network vulnerability via ‘silent patch’

The Polygon team has opened up about a major security vulnerability that threatened the loss of 9 billion MATIC tokens.  The critical security issue was identified by a group of white-hat hackers.

On December 29th, Polygon’s core development team announced a major upgrade which seem to have patched a major security flaw on the Polygon smart contract. The silent upgrade was carried out after a group of white-hat hackers notified the bug bounty platform ImmuneFi. 

Averting a major crisis

One of the white hat hackers had initially submitted a report of the network’s vulnerability in the Polygon PoS genesis contract to ImmuneFi, on 3rd December to address the issue at the earliest. The Polygon developers along with the white hat hackers and Immunefi’s expert team swiftly began looking at fixes and came up with a patch within the next 24 hours. 

The upgrade took place without an announcement on Dec 5. To keep the critical network vulnerability a secret so that it wouldn’t be exploited, the Polygon team refrained from announcing the same to the community until the damage was mitigated. Polygon’s team reportedly paid $3.46 million in bounties to the two white hat hackers who helped discover the bug.

Unfortunately, before the patch could be deployed, one attacker had already managed to steal around 801,601 MATIC tokens. However, the Polygon foundation asserted that it will bear that expense and compensate the loss.

Polygon’s co-founder Jaynti Kanani, said in a statement that any project is open to such vulnerability and will one day find themselves in a precarious situation. He went on to add,

“What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.”

Course of action

Bugs and vulnerabilities are not new to the existing blockchain protocols as with any technology. To stay one-step ahead of the attacker’s game, Polygon’s core team members have come up with a few measures. Since the deployment of the security amendment, the devs have investigated a number of existing processes that can be improved to make the Polygon protocol’s network and community more resilient to further security threats in the future.

The process includes – updating critical responses, consolidating partner contact information and communication channels as well as identifying and formalizing backups for key internal resources to eliminate single points of failure during time sensitive situations.