Whitehat Leon Spacewalker reported a critical vulnerability in Polygon. The vulnerability consisted of a lack of balance/allowance check in the transfer function of Polygon’s MRC20 contract and would have allowed an attacker to steal all ~9,276,584,332 MATIC (as of December 5, the date of the fix) from that contract. Following the report from Leon Spacewalker, Polygon immediately sprang into action to fix the bug. Immunefi assisted in investigating blockchain activity, validating the fix, and advising the hardfork operation.

While Polygon was developing and implementing the fix, a second hacker, who we will refer to as Whitehat2, submitted a report on December 4 referencing the same vulnerability. Polygon decided to make a one-time exception and rewarded Whitehat2 with 500,000 MATIC.

The upgrade was performed on December 5th at block #22156660, which did not affect the activity and performance of the network. The vulnerability has been fixed and the damage has been mitigated, with no substantial damage to the agreement and its end users. All Polygon contracts and node implementations remain fully open source. Polygon paid a total of approximately $3.46 million in bounty to the two white hats who helped discover the vulnerability. Despite our best efforts, malicious hackers were able to use this vulnerability to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft.