Polygon ’s Side Of The Story: Hard-Fork Resolved A “Critical Vulnerability”
December 28 2021 - 7:21AM
NEWSBTC
The Polygon team offered an explanation and here it is. A few weeks
ago, the Ethereum Layer 2 network hard-forked their blockchain,
seemingly without explanation. As usual, NewsBTC got to the bottom
of the case and presented all of the available information. The
only piece missing was a promised official report with a detailed
explanation from Polygon’s experts. Is this it? Apparently
so. Related Reading | Community Voted, Why Uniswap Will Be
Deployed On Polygon Before we get into it, let’s remember Polygon’s
co-founder Mihailo Bjelic’s explanation as reported by us:
“We’re making an effort to improve security practices across all
Polygon projects,” Bjelic tweeted. “As a part of this effort, we
are working with multiple security researcher groups, whitehat
hackers etc. One of these partners discovered a vulnerability in
one of the recently verified contracts. We immediately introduced a
fix and coordinated the upgrade with validators/full node
operators. No funds were lost. The network is stable.” It’s
important to remember that the crypto ecosystem was concerned that
the way that they managed to do all this seemed centralized.
However, the co-founder assured everyone that “The network is run
by validators and full node operators, and we have no control over
any of these groups. We just did our best to communicate and
explain the importance of this upgrade, but ultimately it was up to
them to decide whether they will do it or not.” However, this was
Polygon node operator Mikko Ohtamaa’s further complaint: “Next time
it happens can you at least announce a critical update to all
Polygon node operators. Now this looks super unprofessional and
confusing for the community. It was not mentioned or pinned down in
any major channels or publications.” What Did The Polygon Experts
Say? Considering the infamous Poly Network exploit was merely in
August this year, it’s good to hear Polygon is working hard in
securing their whole operation. They’ve ”been investing significant
effort and resources into creating an ecosystem of security expert
partners, with the goal of improving the security and robustness of
all Polygon solutions and products.” With that in mind, this is the
company’s version of what happened: “Recently, a group of whitehat
hackers on the bug bounty platform Immunefi disclosed a
vulnerability in the Polygon PoS genesis contract. The Polygon core
team engaged with the group and Immunefi’s expert team and
immediately introduced a fix. The validator and full node
communities were notified, and they rallied behind the core devs to
upgrade the network. The upgrade was executed within 24 hours, at
block #22156660, on Dec. 5.” So far, so good. This rhymes with
Bjelic’s explanation and gives the community more details. However,
we know that they barely notified the validators and node
operators. They don’t even have to lie about it, because they do
have a great explanation as to why they ran the whole operation in
stealth mode. “Considering the nature of this upgrade, it had to be
executed without disclosing the actual vulnerability and without
attracting too much attention. We are still finalizing our
vulnerability disclosure policy and procedures, and for now we are
trying to follow the “silent patches” policy introduced and used by
the Geth team.” According to Ohtamaa, “there are multiple open
source projects out there” that have done similar operations in a
more effective manner. And that might be true, but it doesn’t take
from the fact that Polygon’s actions were justified.
MATIC price chart on Binance | Source: MATIC/USD on TradingView.com
The Aftermath In the end, the critical update worked out fine
enough: “The vulnerability was fixed and damage was mitigated, with
there being no material harm to the protocol and its end-users. All
Polygon contracts and node implementations remain fully open
source.” Related Reading | Polygon Opens Vault On MakerDAO, Commits
$50 Million Worth Of Matic Tokens Remember, one of the early
criticism was that they forked the Polygon blockchain “to a
completely closed-source genesis.” Here, the official source
assures that “contracts and node implementations remain fully open
source.” Is there something else they want to tell us? “We are
still working on closing the final proceedings with Immunefi and
the whitehat hacker group, primarily in terms of their rewards and
multiple rounds of reviews of the fixed vulnerability. We will post
a detailed postmortem once this process is finished, likely by the
end of next week.” The team will publish yet another post with even
more details for the technically oriented people. That’s above our
pay grade. Stay tuned to Polygon’s blog if you’re
interested. Featured Image by Diana Polekhina on
Unsplash - Charts by TradingView
Uniswap (COIN:UNIUSD)
Historical Stock Chart
From Aug 2024 to Sep 2024
Uniswap (COIN:UNIUSD)
Historical Stock Chart
From Sep 2023 to Sep 2024