Polygon Quietly Patched Vulnerability That Put $24 Billion in MATIC at Risk

A “critical” vulnerability that risked $24 billion in user funds was quietly patched earlier this month by developers at Polygon, a scaling framework for Ethereum—though not before one attacker was able to steal $1.8 million in Polygon’s MATIC token.

The exploit was shared by white hat hackers on bug bounty platform ImmuneFi on December 3. An upgrade was initiated within 48 hours and, in a blog post Wednesday, the Polygon team explained that they chose not to reveal the incident until it was patched.

“Considering the nature of this upgrade, it had to be executed without attracting too much attention,” they wrote.

If left unaddressed, the smart contract vulnerability would have allowed attackers to mint more than 9.2 billion MATIC tokens (from a total supply of 10 billion) from its genesis contract. But Polygon’s prompt upgrade execution meant that no user funds were lost, and the upgrade was completed without a hitch.

$2 million in MATIC stolen

However, the quick-fix hard fork didn't come soon enough to prevent one malicious attacker from using the exploit to steal over 800,000 MATIC (then worth around $1.8 million), before the patch was instituted—a loss that Polygon Foundation said it would cover.

The project’s co-founder Jaynti Kanani said that such a situation was bound to occur “sooner or later,” but the outcome was a testament to the network’s resilience.

“Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances,” he said. The market appears to agree, with MATIC currency trading at $2.56—up 41% over the past month.

Polygon, which aims to address some of Ethereum's major limitations—including throughput and transaction efficiency—has made major strides throughout the past year. Most recently decentralized exchange (DEX) Uniswap announced that it would use the network for its V3 launch, sending MATIC to fresh highs.

However, the $98 billion decentralized finance (DeFi) industry has suffered a series of high-profile attacks, most of which have been focused on flash loans. Around $474 million in funds was stolen from the DeFi sector in the first six months of 2021, according to data from forensics startup CipherTrace.