Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
On December 3, a group of white hat hackers notified Polygon’s vulnerability bounty agency Immunefi of a vulnerability in the Polygon PoS creation contract. The Polygon core team contacted the organization and Immunefi's expert team and immediately launched a repair procedure. Validators and the full-node community are notified to upgrade 80% of the network without interruption within 24 hours. The upgrade was performed on December 5th at block #22156660, which did not affect the activity and performance of the network. The vulnerability has been fixed and the damage has been mitigated, with no substantial damage to the agreement and its end users. All Polygon contracts and node implementations remain fully open source. Polygon paid a total of approximately $3.46 million in bounty to the two white hats who helped discover the vulnerability. Despite our best efforts, malicious hackers were able to use this vulnerability to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft. Attack method (per SlowMist): Contract Vulnerability. Reported loss: 801,601 MATIC.
- chain
- polygon
- protocol
- Polygon
- bug_class
- logic
- date_occurred
- 2021-12-03
- loss_usd
- —
- source_id
- sm:polygon::2021-12-03