Ethereum DeFi system Polygon has announced that it patched a critical vulnerability that stood to put some $24 billion of its MATIC coins at risk.
The vulnerability appears to have been discovered in early December by a pair of “white hat” hackers who disclosed it privately to Polygon in return for a bounty payment. The company then kept the issue quiet as it worked to patch it out, announcing on December 29 that it was no longer a risk.
Global supply of MATIC coins was at risk
With a total cap of 10 billion, the 9.27 billion MATIC coins that were exposed by this critical vulnerability represented the vast majority of the world’s supply. MATIC is Polygon’s own coin offering. The decentralized finance (“DeFi”) giant is a popular protocol often used by Ethereum blockchain networks, and MATIC is one of the biggest coins among DeFi offerings.
The emergence of this critical vulnerability highlights the central challenge the DeFi world faces: assuring coin holders that their money is secure without any form of regulation or government oversight. The vulnerability was apparently first discovered by a thief, who was in the midst of stealing some $2 million of the coins when the more ethical hackers noticed the activity and reported it via bug bounty platform Immunefi.
It is unclear if the stolen funds (801,601 MATIC coins) were returned to the rightful owner, but a tweet from Polygon claims that there was “no material harm to the protocol/end-users.” The bug that the hacker was exploiting was reportedly patched out on December 5, though the public announcement would not come for over three weeks. This is in keeping with the “Go Ethereum” guidelines widely adopted by these platforms, which call for behind-the-scenes patching of any critical vulnerabilities and holding back public announcements for four to eight weeks.
The two white hats that reported on the vulnerability are being rewarded with a total of nearly $3.5 million in MATIC coins for their efforts.
DeFi’s ability to respond to critical vulnerabilities tested
Polygon co-founder Jaynti Kanani pointed to the response to the critical vulnerability as a successful demonstration of DeFi’s ability to secure itself: “What’s important is that this was a test of our network’s resilience as well as our ability to act decisively under pressure. Considering how much was at stake, I believe our team has made the best decisions possible given the circumstances.”
Since these projects are open source by nature, the response to the discovery of a critical vulnerability is often to initiate a “hard fork” that all of the key stakeholders (such as coin miners) agree to. Exactly how democratic this process is can vary with the structure of the project. Some projects require all coin holders to vote, which can threaten to split the currency in two if the proposal is not accepted by an overwhelming majority of users.
Polygon’s fork to address the critical vulnerability raised some controversy in the community as it was done “in the middle of the night” (though that concept is somewhat meaningless considering a globally distributed userbase) and could be initiated almost unilaterally by Polygon’s owners. The move caused some stir initially due to the policy of not publicly acknowledging critical vulnerabilities for weeks, as holders of MATIC coins wondered what it was all about, but the move seems to have become broadly accepted now that the reason for it has been revealed.
MATIC coins have seen major boosts in recent months, propelling them not only to the top of the DeFi market but also making them one of the fastest-rising of all cryptocurrencies. Worth just a single penny per coin at the start of 2021, MATIC closed the year with a value of around $2.50 USD (with a peak of $2.68 in May). Polygon has become popular as one of the fastest and most efficient Ethereum frameworks, so much so that the Uniswap exchange announced that it will be using the network for its V3 launch.
DeFi networks are estimated to have lost about $680 million to attacks in 2021, the vast majority of that total coming from an attack on the Poly Network in August (and quite a bit of it winding up being returned). That attack aside, the amount represents a relative drop in the bucket of the entire $4 billion in cryptocurrencies stolen in 2021; however, DeFi trading also only represents a fraction of the trading of the overall crypto market (with about $100 billion in total assets compared to $4 trillion for cryptocurrencies as a whole).
Thus far, “zero days” and undiscovered critical vulnerabilities have not been one of DeFi’s more serious security concerns. Most of the theft activity in this space comes from scams, which in turn are often tracked back to insiders. DeFi compromise is most likely to come from the theft or leak of a private key, “frontrunning” attacks that get out ahead of transaction patterns, or just a good old-fashioned “rug pull” in which the project owners close shop and run off with the money. All of these attacks are frequently facilitated by insiders, forcing those in the DeFi market to be very cautious about whom they do business with.