Polygon ’s Side Of The Story: Hard-Fork Resolved A “Critical Vulnerability”

The Polygon team offered an explanation and here it is. A few weeks ago, the Ethereum Layer 2 network hard-forked their blockchain, seemingly without explanation. As usual, NewsBTC got to the bottom of the case and presented all of the available information. The only piece missing was a promised official report with a detailed explanation from Polygon’s experts. Is this it? Apparently so. 

Related Reading | Community Voted, Why Uniswap Will Be Deployed On Polygon

Before we get into it, let’s remember Polygon’s co-founder Mihailo Bjelic’s explanation as reported by us: 

5 BTC + 300 Free Spins for new players & 15 BTC + 35.000 Free Spins every month, only at mBitcasino. Play Now!

“We’re making an effort to improve security practices across all Polygon projects,” Bjelic tweeted. “As a part of this effort, we are working with multiple security researcher groups, whitehat hackers etc. One of these partners discovered a vulnerability in one of the recently verified contracts. We immediately introduced a fix and coordinated the upgrade with validators/full node operators. No funds were lost. The network is stable.” 

It’s important to remember that the crypto ecosystem was concerned that the way that they managed to do all this seemed centralized. However, the co-founder assured everyone that “The network is run by validators and full node operators, and we have no control over any of these groups. We just did our best to communicate and explain the importance of this upgrade, but ultimately it was up to them to decide whether they will do it or not.”

However, this was Polygon node operator Mikko Ohtamaa’s further complaint:

“Next time it happens can you at least announce a critical update to all Polygon node operators. Now this looks super unprofessional and confusing for the community. It was not mentioned or pinned down in any major channels or publications.”

What Did The Polygon Experts Say?

Considering the infamous Poly Network exploit was merely in August this year, it’s good to hear Polygon is working hard in securing their whole operation. They’ve ”been investing significant effort and resources into creating an ecosystem of security expert partners, with the goal of improving the security and robustness of all Polygon solutions and products.” With that in mind, this is the company’s version of what happened:

Get 110 USDT Futures Bonus for FREE!

“Recently, a group of whitehat hackers on the bug bounty platform Immunefi disclosed a vulnerability in the Polygon PoS genesis contract. The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. The validator and full node communities were notified, and they rallied behind the core devs to upgrade the network. The upgrade was executed within 24 hours, at block #22156660, on Dec. 5.”

So far, so good. This rhymes with Bjelic’s explanation and gives the community more details. However, we know that they barely notified the validators and node operators. They don’t even have to lie about it, because they do have a great explanation as to why they ran the whole operation in stealth mode.

“Considering the nature of this upgrade, it had to be executed without disclosing the actual vulnerability and without attracting too much attention. We are still finalizing our vulnerability disclosure policy and procedures, and for now we are trying to follow the “silent patches” policy introduced and used by the Geth team.”

According to Ohtamaa, “there are multiple open source projects out there” that have done similar operations in a more effective manner. And that might be true, but it doesn’t take from the fact that Polygon’s actions were justified.  

MATICUSD price chart - TradingView

MATIC price chart on Binance | Source: MATIC/USD on TradingView.com

The Aftermath

In the end, the critical update worked out fine enough:

“The vulnerability was fixed and damage was mitigated, with there being no material harm to the protocol and its end-users. All Polygon contracts and node implementations remain fully open source.”

Related Reading | Polygon Opens Vault On MakerDAO, Commits $50 Million Worth Of Matic Tokens

Remember, one of the early criticism was that they forked the Polygon blockchain “to a completely closed-source genesis.” Here, the official source assures that “contracts and node implementations remain fully open source.” Is there something else they want to tell us?

“We are still working on closing the final proceedings with Immunefi and the whitehat hacker group, primarily in terms of their rewards and multiple rounds of reviews of the fixed vulnerability. We will post a detailed postmortem once this process is finished, likely by the end of next week.”

The team will publish yet another post with even more details for the technically oriented people. That’s above our pay grade. Stay tuned to Polygon’s blog if you’re interested.  

Featured Image by Diana Polekhina on Unsplash - Charts by TradingView


Tagged : / / / / / / / / / / / / /

Poly Network Confirms Hacker Has Returned Most Of The Stolen Crypto

The crypto market has been rocked by the news of what might be the biggest DeFi hack in history. On August 10th, the exploitation on the Poly Network saw the hacker(s) make away with more than $600 million in crypto. A hack that shook the entire DeFi market to its very core.

The hacker made off with a loot of over $200 million in ETH. And hundreds of millions in tokens. After a warning from a user warning that their USDT address had been blacklisted, the hacker then sent approximately $42K in ETH to the address which issued the warning. Resulting in hundreds of transactions being sent to the hacker’s address asking for money.

Related Reading | Q&A With Poly Hacker, Hero Or Villain Behind Biggest DeFi In History?

5 BTC + 300 Free Spins for new players & 15 BTC + 35.000 Free Spins every month, only at mBitcasino. Play Now!

This culminated in a three-day rollercoaster of emotions and negotiations. The team behind the Poly Network, in a desperate attempt, penned a letter to the hacker. Begging for the stolen funds to be returned to them. And to much surprise, the hacker listened. They agreed to return the funds. But they asked that a multisig wallet address be provided for the crypto to be transferred into.

Hacker Begins To Return Stolen Crypto

Following the provision of the wallet, the hacker began the process of returning the crypto. At first, the hacker return SHIB tokens and other tokens. Which amounted to over $250 million. But there was still a large part of the loot left behind in the hacker’s wallet. The Poly Network team confirmed this in a tweet following the return.

Get 110 USDT Futures Bonus for FREE!

Various wallets addresses were provided for the hacker to send the crypto into. Including an ETH wallet, a BSC wallet, and a Polygon wallet. All multisig wallets according to the specifications of the hacker. Which they had requested because they said there was a failed connection to the Poly Network.

Related Reading | Why A Shocking Altcoin Season Could Be On The Horizon

Less than 24 hours ago, the Poly team again took to Twitter to announce more returns. This time stating that the hacker had returned most of the stolen crypto to them. All assets had been sent to the multisig wallets provided by the Poly Network. Except for the frozen USDT.

Why Is The Hacker Doing This?

Speculations were that the identity of the hacker had been compromised. Hence their willingness to return such a massive amount back to the network. But the hacker denied all of these. Saying that they had taken adequate precautions to make sure they would not be identified. Such as using temporary fingerprint verification. Given that one of the information the security company, SlowMist announced they had acquired was the hacker’s fingerprint.

Related Reading | Here’s What Happens To All Of The Crypto Assets The IRS Seizes

Other speculations were that the stolen crypto was already tagged. In this case, there was no way the hacker would be able to spend the funds without exposing themselves. Every transaction would be tracked meticulously. Leading to the discovery of whoever was behind the wallets that the funds were transferred to.

A lot of back and forth had been had with the hacker before they agreed to return the funds. The hacker even went as far as hosting a Q&A session. Where they answer questions regarding the hack, like why they had done it. To which the hacker had asked what they would have done if faced with such an amount of money. Also stating that they “prefer to stay in the dark and save the world.”

Related Reading | Wells Fargo Now Offers Cryptocurrency Investment To Clients

The stolen crypto are not fully released yet. Multisig wallets are secure in the fact that they require multiple signatures from involved parties. Hence, the hacker would still have to sign off on the wallets for the funds to be released to the Poly Network team. Once the final key is received from the hacker, then the team can regain access to both the assets and cross-chain services.

Featured image from ZDNet


Tagged : / / / / / / /
Bitcoin (BTC) $ 26,579.12 0.08%
Ethereum (ETH) $ 1,591.08 0.14%
Litecoin (LTC) $ 64.70 0.47%
Bitcoin Cash (BCH) $ 207.18 0.71%