A critical vulnerability in the Polygon network that could have been exploited to compromise all MATIC coins was thwarted by two ethical hackers and a timely patch.
A controversial fork in the project, initiated in early December without much explanation as to what the purpose was, turned out to be the patch that saved some $24 billion in MATIC coins. It appears that the first person to discover the vulnerability was exploiting it to siphon off coins, but their activity was spotted and reported before relatively serious damage could be done.
Critical vulnerability in Polygon protocol kept quiet due to security policy
The Polygon protocol is one of the most commonly used in the world of decentralized finance (“defi”), and the MATIC coins are backed up by it. This critical vulnerability was apparently bad enough that it threatened nearly the entire existing supply.
A thief was en route to hoarding the currency, stealing about two million in MATIC coins before others noticed what was happening. While that theft certainly ruined the day of at least one involved party, it is only a tiny fraction of the $24 billion in circulating supply that might have been compromised if the response had not been so fast.
The incident is a relatively rare example of a defi offering being compromised by a previously unseen security hole. Over half a billion in defi currency was stolen in 2021, but these losses are usually the result of a scam or the leak of a private key. It is unsurprising that MATIC coins attracted this sort of attention from cyber criminals, as they are the most valuable of the defi tokens and one of the hottest cryptocurrencies in general (with roughly a 250% increase in value over the course of 2021).
The fact that a critical vulnerability was being patched was not revealed to holders of MATIC coins when a “hard fork” was suddenly announced in early December, causing some amount of commotion. It turns out that Polygon was holding to a widely-adopted security policy that calls for keeping vulnerability disclosures quiet for about a month. Forking did not seem to inspire any calls to separate the currency, and the value remained strong throughout December.
9.2 billion MATIC coins saved from compromise
The two whitehat hackers that reported the theft of MATIC coins were rewarded quite well with bounty funds: $2 million to the first to report the critical vulnerability, and $1.5 million to the second. Also a relatively small price to pay considering how devastating this issue could have been.
Security is a central concern for defi platforms going forward, as they intentionally (and sometimes quite defiantly) stand outside of the regulated world of fiat currencies. Some are turning to third-party auditing firms that specialize in the blockchain; firms of this type have existed for roughly the past decade and have had some years now to build reputations for themselves.