Read News For Me
Leon Spacewalker, on December 3rd, reported a critical vulnerability in the Polygon Network. It consisted of a lack of allowance check in the transfer function of the MRC20 contract of Polygon. It means that a hacker could actually steal all the MATIC tokens from the contract.
Another Whitehat hacker, on December 4th, reported a similar vulnerability, and he was awarded with 500,000 MATIC. Also, 801,601 MATIC were stolen by some blackhat hacker using a similar exploit.
An MRC20 contract is deployed on Polygon, which is used to transfer the MATIC tokens gaslessly. The operator pays for the gas, so the token owner doesn't need to pay for it. There was a bug in the function “transferFrom", which would be called the “transfer” function without checking the balance. The function “transferWithSig()" could be called without a valid signature. "transfer" function also wasn't check whether the sender has enough balance or not.
It means that these bugs could lead anybody to mint any arbitrary number of tokens from the contract.
Polygon network removed the function “transferWithSig" to resolve the issue. With the removal of the function, the tokens cannot be transferred. Polygon, along with Immunefi, fixed the critical vulnerability.
After detecting the vulnerability, Leon Spacewalker received a bug bounty of $2.2 million in stablecoins. This amount is exceeding the Polygon’s critical bounty’s maximum value. It is due to the fact that the vulnerability was pretty severe. In addition, the second whitehat hacker received the 500,000 MATIC, whose worth is around $1,262,711.
After the incident, Polygon improved a number of existing processes and took actions to make the network more resilient. The team updated the critical response processes of the network. Also, the polygon core team is identifying the backups for internal resources so as to remove the points of failures during sensitive situations.
The hacks in the Defi ecosystem are pretty common. This particular vulnerability could result in a loss of a considerable amount of MATIC tokens if not detected at the correct time. It shows that there is a strict need for any ecosystem to invest in security expert partners.
It also shows that the future hacks of Defi can also be prevented if the vulnerabilities are detected on time.