Bounty hunting in the blockchain arena seems to be pretty lucrative. Polygon Technology revealed Wednesday that a recent update to its mainnet was released to fix a bug that could have been exploited to steal over $24 billion worth of the MATIC token.
Polygon said the flaw was disclosed by "Leon Spacewalker" via the Immunefi bug bounty platform on December 3. The company prepared a patch to address the flaw later that day and released it to the Mumbai testnet on December 4. However, the bug was exploited later that day to steal $2 million worth of MATIC from the mainnet.
Another security researcher shared details about the vulnerability to Polygon a few hours after the MATIC was stolen. The company ended up paying both of the bounty hunters for their disclosure. Immunefi said that Spacewalker received $2.2 million in stablecoins; the second researcher earned $1.27 million worth of MATIC.
"This experience highlighted the importance of investing into an ecosystem of security expert partners," Polygon said. "We are very grateful to Immunefi for all their help. At the end of the day, this brought Polygon a step closer to becoming the most battle-tested scaling solution for Ethereum." Unfortunately, that is a dubious honor at best.
Polygon said it released the patch to address this flaw on December 5. However, it didn't offer additional information about the incident until December 29. Instead, it wanted to follow the "silent patches" policy used by the Geth team to minimize the potential impact of vulnerabilities that affect the Ethereum network.
The company said that it's also responding to the incident by:
- Updating our critical response processes;
- Consolidating partner contact info and communications channels;
- Identifying and formalizing backups for key internal resources to eliminate single points of failure during time sensitive situations
"In the grand scheme of things, and looking ahead at the future of DeFi, this won't be the last case where a severe vulnerability is found," Immunefi said. "As more funds pile into DeFi at record rates, more projects will also have critical exploits buried in their code. It is inevitable. The only difference is whether these future projects take comprehensive security measures and do everything they can to protect their code."
That might not be good news for these decentralized finance (DeFi) projects, but it seems bug bounty hunters can make decent not-quite-cash by looking for vulnerabilities. For example, Polygon theoretically caps its bug bounty program at $2 million, but in this case, it paid $3.46 million "in recognition of the severity of the vulnerability."
This also isn't the first time Polygon has pushed the limits of its bug bounty program. The company paid another security researcher, Gerhard Wagner, $2 million in October for a vulnerability that could have been exploited to steal $850 million worth of cryptocurrency. So far, it's paid out more than $5 million in the last two months.