Try   HackMD

Note on temporary Denial-of-Service vulnerability on Polygon PoS staking contract

Researcher/Reporter/White hacker: Ashiq Amien from iosiro on HackerOne

On Aug 4th, Ashiq Amien reported a Denial of Service vulnerability on the Polygon staking contracts via the HackerOne portal. The HackerOne team triages bug reports on a regular basis and assigns them to the Polygon team only if the reported bug is within the scope of bounty. Due to a triage delay on HackerOne and the nature of the vulnerability, Ashiq reached out to samczsun for further help on Aug 17th. samczsun and Georgios Konstantopoulos immediately reached out to Mihailo, and we created a group with Ashiq to fix it.

After checking with Ashiq, we concluded that StakeManagerProxy was initialized properly. However, the StakeManager implementation was not initialized. In many cases, it is not needed. But this case was different. StakeManager implementation contains extensionCode, which extends the contract and calls a few functions on extensionCode contract using delegation call. So now anyone could call the initialize implementation code with malicious extensionCode contract and selfdestruct implementation contract, which makes the StakeManagerProxy temporarily unusable until a new StakeManager implementation contract is deployed.

Contract: https://etherscan.io/address/0xd6F5c46d4E1a02f9D145cEe41d2F8AF30D8d2d76

The issue was fixed by initializing the StakeManager implementation with a safe contract which doesn’t have selfdestruct (it has been set to the Matic Token contract). Here is the transaction: https://etherscan.io/tx/0x1986576e99261fdf17ae56f033d9f23fda131fab849ab62dff055205c2e438d0

No user funds were in danger of being lost. User funds would have been locked for the duration until the new implementation was deployed. This would have led to a temporary Denial of Service attack on the contract. This vulnerability has been fixed now.

No other smart contract is affected. Staking-related functions are currently working as expected, and no further action is required.

To avoid this situation in the future, the team will modify test cases and deployment processes to mitigate this class of scenarios.

Further, the team is working with HackerOne and internal teams to improve the triage and escalation process. We will look into crypto-specific bounty platforms like Immunefi to avoid any delay in communication on the bounty platform.

We would like to thank Ashiq Amien for reporting the vulnerability! Thanks samczsun and Georgios Konstantonopoulos for all the help.

The Polygon Team

Last changed by 
anurag
0
1728
Published on HackMD