Ethereum scaling solution Polygon has disclosed a patched “critical” vulnerability in its Proof-of-Stake genesis contract that could have allowed attackers to steal over 9.2 billion MATIC tokens, worth over $24 billion.
The vulnerability, which could have allowed for over 90% of MATIC’s supply to be stolen, was reported on the bug bounty platform Immunefi by a white hat hacker known as Leon Spacewalker.
After the bug was found, Immunefi quickly informed the Polygon team who confirmed it and moved to update the Polygon network. An initial update was deployed on the Mumbai testnet on December 4, before being deployed on the mainnet.
Ahead of the mainnet deployment, however, a malicious actor exploited the bug to steal 801,601 MATIC tokens, worth over $2 million. After the theft, a second white hat hacker, who has remained anonymous, submitted a report through Immuefi.
Polygon then released an emergency update with a hard fork taking place on December 5. The Polygon team awarded bug bounties worth $3.46 million, with Spacewalker receiving $2.2 million in stablecoins and the anonymous white hat hacker receiving 500,000 MATIC.