link.png

ID:

polygon-177

Date:

Status:

Incident Count:

December 3, 2021

Verified

2

info.png
target.png
REKT

Contributor:

chain.png

zerofriction.io

KYC By:

KYC:

None

info.png

Audit By:

Audits:

Certik

Loss Amount:

1,600,000

info.png

Recovered:

-

Rewards:

3460000

Currency:

USD, MATIC

info.png

Whitehat Leon Spacewalker reported a critical vulnerability in Polygon. The vulnerability consisted of a lack of balance/allowance check in the transfer function of Polygon’s MRC20 contract and would have allowed an attacker to steal all ~9,276,584,332 MATIC (as of December 5, the date of the fix) from that contract. Following the report from Leon Spacewalker, Polygon immediately sprang into action to fix the bug. Immunefi assisted in investigating blockchain activity, validating the fix, and advising the hardfork operation.

While Polygon was developing and implementing the fix, a second hacker, who we will refer to as Whitehat2, submitted a report on December 4 referencing the same vulnerability. Polygon decided to make a one-time exception and rewarded Whitehat2 with 500,000 MATIC.

The upgrade was performed on December 5th at block #22156660, which did not affect the activity and performance of the network. The vulnerability has been fixed and the damage has been mitigated, with no substantial damage to the agreement and its end users. All Polygon contracts and node implementations remain fully open source. Polygon paid a total of approximately $3.46 million in bounty to the two white hats who helped discover the vulnerability. Despite our best efforts, malicious hackers were able to use this vulnerability to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.