In the last couple of months, Polygon has been investing significant effort and resources into creating an ecosystem of security expert partners, with the goal of improving the security and robustness of all Polygon solutions and products. We have established relationships with a number of teams and individuals that have already helped us immensely; mainly by providing valuable feedback and helping with vulnerability discovery and resolutions.
Recently, a group of whitehat hackers on the bug bounty platform Immunefi disclosed a vulnerability in the Polygon PoS genesis contract. The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. The validator and full node communities were notified, and they rallied behind the core devs to upgrade the network. The upgrade was executed within 24 hours, at block #22156660, on Dec. 5.
Considering the nature of this upgrade, it had to be executed without disclosing the actual vulnerability and without attracting too much attention. We are still finalizing our vulnerability disclosure policy and procedures, and for now we are trying to follow the “silent patches” policy introduced and used by the Geth team.
The upgrade was executed successfully, without impacting liveness and performance of the network in any major way. The vulnerability was fixed and damage was mitigated, with there being no material harm to the protocol and its end-users. All Polygon contracts and node implementations remain fully open source.
We are still working on closing the final proceedings with Immunefi and the whitehat hacker group, primarily in terms of their rewards and multiple rounds of reviews of the fixed vulnerability. We will post a detailed postmortem once this process is finished, likely by the end of next week.
In addition to this upgrade, Polygon’s core team has carried out an extensive analysis and identified a number of existing processes that can be improved as well as actions that will make the network and our community more resilient in the future. We will share more details about these efforts and improvements in the future.
Thank you all for the continuous support. Please check our blog for the latest developments.
Let’s bring the world to Ethereum!
Website | Twitter | Ecosystem Twitter| Developer Twitter | Enterprise Twitter | Studios Twitter | Telegram | Reddit | Discord| Instagram | Facebook | LinkedIn