Polygon quietly hard forks at the beginning of the month: Fatal loophole allows for arbitrary issuance of MATIC tokens, claims decision-making is sound

The Layer 2 solution for Ethereum, Polygon, underwent an emergency mainnet upgrade earlier this month. The team did not provide detailed information when executing a hard fork on 12/5, and it wasn't until 12/29 that the official disclosure of significant risks related to project vulnerabilities was made. Despite the event concluding without major losses and Matic token price not crashing, the controversy over the team's overly centralized approach remains.

Event Timeline

According to an official announcement from Polygon, the events unfolded as follows:

12/3 10:11: White-hat hacker Leon Spacewalker reported a potential vulnerability to the bug bounty platform Immunefi.

12/3 16:18: Polygon confirmed the existence of the vulnerability and the team decided to upgrade the mainnet as soon as possible, one hour later.

12/3 20:18: Bor v0.2.12-beta1 went live on the Mumbai Testnet at block height #22244000.

12/4 04:26: The Mumbai Testnet update was completed, preparing for the mainnet update.

12/4 13:46: The vulnerability was successfully exploited by a hacker, resulting in the theft of 801,601 MATIC tokens.

12/4 18:53: A second white-hat hacker submitted the same vulnerability report to Immunefi.

12/4 21:08: Polygon notified validator nodes that the mainnet would undergo an emergency upgrade.

12/5 07:27: The mainnet update was completed at block height #22156660 with over 90% of validators.

Team Statement

Polygon pointed out the difficulty in balancing security and transparency. Initially, they did not disclose the vulnerability due to following Ethereum client Geth's "Silent Patch" policy, which states:

If an important consensus or DoS attack exists in the updated version, someone will attempt to attack nodes and exploit the vulnerability. To delay potential attacks and minimize impact on most nodes, temporarily sacrificing transparency may be worthwhile. Therefore, sometimes it is best to keep quiet about vulnerabilities. Projects like ZCash, Monero, Bitcoin, and others also follow this practice.

In conclusion, the Polygon core team believes they have struck the best balance in addressing this urgent and significant issue among open-source, community, partners, and the overall ecosystem, but they welcome feedback on this.

Polygon Bears Loss

According to the bug bounty platform Immunefi's disclosure on the same day, 12/29, the vulnerability may have allowed attackers to mint over 9.2 billion MATIC tokens out of a total of 10 billion, with hackers stealing 801,601 tokens during the process. Polygon will bear the losses and also pay approximately $3.46 million in bounties to the two white-hat hackers.

Controversy arose over the official-led mainnet upgrade bypassing the community, but the team also faced risks in disclosing the vulnerability. With the recent surge of SOL, AVAX, and the Ethereum critique by the founder of Three Arrows Capital, the community focused more on these events and did not discuss Polygon's late-night emergency upgrade much.

The price of MATIC was not affected by the mainnet upgrade, rising 34% since 12/6, nearing $3 at its peak before settling at $2.46 at the time of writing.