'Critical' Polygon bug put $24 billion in tokens at risk until recent hard fork

Quick Take

  • Polygon could have lost almost all of its MATIC tokens worth $24 billion if a severe bug had gone unnoticed.
  • Polygon undertook a hard fork to fix the bug and save the project, but didn’t disclose details about the vulnerability until Wednesday.

Ethereum scaling project Polygon was at risk of losing nearly all of its MATIC tokens until it upgraded its network earlier this month.

The problem was a "critical" vulnerability in Polygon's proof-of-stake genesis contract, which could have allowed attackers to steal over 9.2 billion MATIC tokens (currently worth over $24 billion). The total supply of MATIC tokens is 10 billion.

The vulnerability was reported on the bug bounty platform Immunefi by a whitehat hacker known as Leon Spacewalker. According to details shared Wednesday, the bug essentially could have allowed attackers to arbitrarily mint all of Polygon's more than 9.2 billion MATIC tokens from its MRC20 contract.

After Spacewalker found the bug, Immunefi informed the Polygon team the same day. The team then confirmed the vulnerability and moved to update the Polygon network, initially with an update for its Mumbai testnet.

According to Polygon, the testnet update was completed on December 4, and the team was preparing for the mainnet upgrade. Yet before the mainnet upgrade was undertaken, a malicious actor exploited the bug and stole 801,601 MATIC tokens (currently worth over $2 million). Polygon has said it will bear the cost of the theft.

After the MATIC tokens were stolen, a second whitehat hacker (who remains anonymous) discovered the vulnerability and submitted a report to Immunefi. Polygon then released an emergency upgrade for its mainnet, with the hard fork taking place on December 5. 

Though details of the incident wouldn't be released until December 29, chatter on social media in mid-December emerged about Polygon's silent, zero-warning hard fork.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

At the time, Polygon co-founder Mihailo Bjelic said that there was a vulnerability and that the team would release additional details. "We are now investing much more in security and we're making an effort to improve security practices across all Polygon projects," he wrote at the time. 

As for why the project waited until now to disclose the bug, Polygon said it follows a "silent patches" policy introduced and used by Geth (an Ethereum software client) team, explaining:

"All in all, the core development team struck the best possible balance between openness and doing what is best for the community, partners and the broader ecosystem in handling this extremely urgent and sensitive issue. But you can be the judge of that."

The Polygon team awarded bug bounties worth roughly $3.46 million, with Spacewalker receiving $2.2 million worth of stablecoins, and the anonymous whitehat hacker receiving 500,000 MATIC tokens (currently worth over $1.27 million).

The market for MATIC doesn't appear to have been affected by the bug news, with the token trading at around $2.59 as of press time.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Yogita Khatri is a senior reporter at The Block, covering all things crypto. As one of the earliest team members, Yogita has played a pivotal role in breaking numerous stories, exclusives and scoops. With nearly 3,000 articles under her belt, Yogita holds the records as The Block's most-published and most-read author of all time. Prior to joining The Block, Yogita worked at crypto publication CoinDesk and The Economic Times, where she wrote on personal finance. To contact her, email: [email protected]. For her latest work, follow her on X @Yogita_Khatri5.