The Intelligent Insurer #48 — Polygon effectively addresses a bug that could have caused a potential $24 billion loss
Polygon Network ended 2021 by reporting a critical upgrade that saved over 9.27 billion MATIC tokens, equivalent to $23.6 billion at the time, from exploitation. This incident highlighted the delicate balance between security and transparency in the blockchain industry.
In the latest Intelligent Insurer, we examine Polygon’s report of the incident, which narrowed the cause to a code vulnerability that was highlighted by two white hat hackers. We also explore a contentious issue surrounding Polygon’s choice to delay the incident’s disclosure and the ramifications on investor trust in blockchain projects. However, we’ll first highlight the progress we’ve made this past week via our software development update.
Insured Finance software development update
We welcomed the new year with huge optimism and are ready to push the development of our next-generation digital asset insurance platform to the next level over the course of 2022. We began the new year on a positive note.
Our beta release is now available on the testnet for public access. We continue to gather feedback and improve our platform according to user inputs. In addition, we have launched a revamped version of our website which promises to enhance user experience immeasurably.
Aside from launching our app and requesting tokens, visitors can place custom insurance requests in our marketplace. They can also browse insurance requests and provide coverage. We fully believe in transparency and users can interact with our team members through Telegram, Twitter, and Medium, the links to which are available on our website.
Best of all, our revamped website lists all of Insured Finance’s features and benefits, along with technical documentation related to our product. We fully believe that with this launch, Insured Finance has taken a major step towards becoming the premier choice for digital asset insurance in the DeFi marketplace.
White hat hackers uncover significant Polygon vulnerability
On December 3rd, 2021, a group of white hat hackers alerted Polygon via the network’s bug bounty program on Immunefi. The hackers identified a vulnerability on Polygon’s PoS genesis contract. According to the Polygon team, the amount of funds at risk made it essential for the team to execute a quick fix discreetly. Public awareness of the vulnerability would have led to malicious actors potentially stealing large sums of MATIC tokens.
Polygon’s team notified just their validators and full node operators and a fix was executed within 24 hours. Originally, this fix upgraded 80% of the network, with the remaining 20% following shortly thereafter. The full network upgrade took place on December 5th at block #22156660 without any major alteration in network operations. The Polygon team announced that their code remains open source.
There was a little twist in the course of the upgrade. Between the time when the vulnerability was unearthed and the fix deployed, a hacker managed to steal 801,601 MATIC tokens, equivalent to $1.6 million at the time. The network’s foundation bore the cost of the exploit and has also paid $3.46 million in bounties to the two white hat hackers who helped discover the bug. This is an impressive gesture that buttresses the integrity of the Polygon team and its fairness to the users of the network.
Polygon acknowledged the incident on December 29th, almost an entire month after the bug was originally discovered. This late disclosure prompted Polygon to explain its “silent patches” disclosure policy.
Silent patches and vulnerability disclosure debates
Until recently, the norm when handling security issues in the blockchain industry is to make the information public even before patches are completely fixed. In some cases, project teams announce bugs on Twitter while working in the background to fix the issue. Transparency is the ethos of blockchain and one would expect projects built on it to follow suit.
However, radical transparency has its disadvantages. In Polygon’s case, disclosing the vulnerability on December 9th would have led to huge losses for investors and would have been irresponsible. The silent patches policy first defined by the Go Ethereum team offered the best solution, albeit a less than ideal one.
Silent patches give node operators time to implement patches and negate vulnerabilities. Given the time it takes most networks to apply fixes, communicate, and vote on upgrades, it makes sense to adopt this less-than-transparent disclosure policy. However, any protection that investors receive comes at the cost of transparency.
The disclosure delay prevents investors from exercising their right to use their funds as they wish and forces them to remain invested in a vulnerable situation. In essence, the project team wrests choice from investors temporarily. Such policies could incentivize unscrupulous developer teams to exercise greater control over user funds, negating the purpose of blockchain and DeFi technologies.
The real issue lies in the time it takes for node operators to validate patches. Blockchain network processing speeds are a bottleneck and this forces all parties involved to choose between transparency and security. Until processing times remain high, investors need novel solutions to protect themselves.
This case with Polygon reveals that even with sophisticated policies, absolute security on blockchain networks remains impossible. Therefore, digital insurance solutions like Insured Finance offer the best way to mitigate risk and protect assets. Digital asset holders receive full compensation post security incidents, eliminating the stress of investing in less than secure venues.
Polygon’s choice in this incident was the right one, but it doesn’t change the fact that blockchain networks need an upgrade. Until then, investors remain potential hostages to developer teams and need creative solutions to secure their assets.
About Insured Finance
Insured Finance is a decentralized, peer-to-peer insurance marketplace. Users can request customized insurance on a wide variety of digital assets, thereby ensuring full protection. Those fulfilling requests can earn premiums and earn a competitive return on their capital. Claims are fully collateralized and settled instantly.