The Polygon team promised an explanation and here it is. A few weeks ago, the Ethereum Layer 2 network hard-forked their blockchain, seemingly without explanation. As usual, NewsBTC got to the bottom of the case and presented all of the available information. The only piece missing was a promised official report from Polygon’s experts. Is this it? Apparently so.
Before we get into it, let’s remember Polygon’s co-founder Mihailo Bjelic’s explanation as reported by us:
“We’re making an effort to improve security practices across all Polygon projects,” Bjelic tweeted. “As a part of this effort, we are working with multiple security researcher groups, whitehat hackers etc. One of these partners discovered a vulnerability in one of the recently verified contracts. We immediately introduced a fix and coordinated the upgrade with validators/full node operators. No funds were lost. The network is stable.”
It’s important to remember that the crypto ecosystem was concerned with the way that they managed to do all this. It seemed centralized. However, the co-founder assured everyone that “The network is run by validators and full node operators, and we have no control over any of these groups. We just did our best to communicate and explain the importance of this upgrade, but ultimately it was up to them to decide whether they will do it or not.”
However, this was Polygon node operator Mikko Ohtamaa’s further complaint:
“Next time it happens can you at least announce a critical update to all Polygon node operators. Now this looks super unprofessional and confusing for the community. It was not mentioned or pinned down in any major channels or publications.”
And that’s the story so far.
Considering the infamous Poly Network exploit was merely in August this year, it’s good to hear Polygon is working hard in securing their whole operation. They’ve ”been investing significant effort and resources into creating an ecosystem of security expert partners, with the goal of improving the security and robustness of all Polygon solutions and products.” With that in mind, this is the company’s version of what happened:
“Recently, a group of whitehat hackers on the bug bounty platform Immunefi disclosed a vulnerability in the Polygon PoS genesis contract. The Polygon core team engaged with the group and Immunefi’s expert team and immediately introduced a fix. The validator and full node communities were notified, and they rallied behind the core devs to upgrade the network. The upgrade was executed within 24 hours, at block #22156660, on Dec. 5.”
So far, so good. This rhymes with Bjelic’s explanation and gives the community more details. However, we know that they barely notified the validators and node operators. They don’t even have to lie about it, because they do have a great reason as to why they ran the whole operation in stealth mode.
“Considering the nature of this upgrade, it had to be executed without disclosing the actual vulnerability and without attracting too much attention. We are still finalizing our vulnerability disclosure policy and procedures, and for now we are trying to follow the “silent patches” policy introduced and used by the Geth team.”
According to Ohtamaa, “there are multiple open source projects out there” that have done similar operations in a more effective manner. And that might be true, but it doesn’t take from the fact that Polygon’s actions were justified.
What Did The Polygon Experts Say?
In the end, the critical update worked out fine enough:
“The vulnerability was fixed and damage was mitigated, with there being no material harm to the protocol and its end-users. All Polygon contracts and node implementations remain fully open source.”
Remember, one of the early criticism was that they forked the Polygon blockchain “to a completely closed-source genesis.” Here, the official source assures that “contracts and node implementations remain fully open source.” Good. Is there something else they want to tell us?
“We are still working on closing the final proceedings with Immunefi and the whitehat hacker group, primarily in terms of their rewards and multiple rounds of reviews of the fixed vulnerability. We will post a detailed postmortem once this process is finished, likely by the end of next week.”
The team will publish yet another post with even more details for the technically oriented people. That’s above our pay grade. Stay tuned to Polygon’s blog if you’re interested.
Featured Image by Diana Polekhina on Unsplash