Note on temporary Denial-of-Service vulnerability on Polygon PoS staking contract

# Note on temporary Denial-of-Service vulnerability on Polygon PoS staking contract **Researcher/Reporter/White hacker**: [Ashiq Amien](https://twitter.com/AshiqAmien) from [iosiro](https://iosiro.com) on HackerOne On Aug 4th, [Ashiq Amien](https://twitter.com/AshiqAmien) reported a `Denial of Service` vulnerability on the Polygon staking contracts via the HackerOne portal. The HackerOne team triages bug reports on a regular basis and assigns them to the Polygon team only if the reported bug is within the scope of bounty. Due to a triage delay on HackerOne and the nature of the vulnerability, Ashiq reached out to samczsun for further help on Aug 17th. samczsun and Georgios Konstantopoulos immediately reached out to Mihailo, and we created a group with Ashiq to fix it. After checking with Ashiq, we concluded that `StakeManagerProxy` was initialized properly. However, the `StakeManager` implementation was not initialized. In many cases, it is not needed. But this case was different. StakeManager implementation contains `extensionCode`, which extends the contract and calls a few functions on `extensionCode` contract using delegation call. So now anyone could call the `initialize` implementation code with malicious `extensionCode` contract and `selfdestruct` implementation contract, which makes the `StakeManagerProxy` temporarily unusable until a new `StakeManager` implementation contract is deployed. Contract: [https://etherscan.io/address/0xd6F5c46d4E1a02f9D145cEe41d2F8AF30D8d2d76](https://etherscan.io/address/0xd6F5c46d4E1a02f9D145cEe41d2F8AF30D8d2d76) The issue was fixed by initializing the `StakeManager` implementation with a safe contract which doesn’t have `selfdestruct` (it has been set to the Matic Token contract). Here is the transaction: [https://etherscan.io/tx/0x1986576e99261fdf17ae56f033d9f23fda131fab849ab62dff055205c2e438d0](https://etherscan.io/tx/0x1986576e99261fdf17ae56f033d9f23fda131fab849ab62dff055205c2e438d0) No user funds were in danger of being lost. User funds would have been locked for the duration until the new implementation was deployed. This would have led to a temporary `Denial of Service` attack on the contract. This vulnerability has been fixed now. No other smart contract is affected. Staking-related functions are currently working as expected, and no further action is required. To avoid this situation in the future, the team will modify test cases and deployment processes to mitigate this class of scenarios. Further, the team is working with HackerOne and internal teams to improve the triage and escalation process. We will look into crypto-specific bounty platforms like Immunefi to avoid any delay in communication on the bounty platform. We would like to thank Ashiq Amien for reporting the vulnerability! Thanks samczsun and Georgios Konstantonopoulos for all the help. The Polygon Team