or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Syncing
xxxxxxxxxx-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
SubscribeNote on temporary Denial-of-Service vulnerability on Polygon PoS staking contract
Researcher/Reporter/White hacker: Ashiq Amien from iosiro on HackerOne
On Aug 4th, Ashiq Amien reported a
Denial of Servicevulnerability on the Polygon staking contracts via the HackerOne portal. The HackerOne team triages bug reports on a regular basis and assigns them to the Polygon team only if the reported bug is within the scope of bounty. Due to a triage delay on HackerOne and the nature of the vulnerability, Ashiq reached out to samczsun for further help on Aug 17th. samczsun and Georgios Konstantopoulos immediately reached out to Mihailo, and we created a group with Ashiq to fix it.After checking with Ashiq, we concluded that
StakeManagerProxywas initialized properly. However, theStakeManagerimplementation was not initialized. In many cases, it is not needed. But this case was different. StakeManager implementation containsextensionCode, which extends the contract and calls a few functions onextensionCodecontract using delegation call. So now anyone could call theinitializeimplementation code with maliciousextensionCodecontract andselfdestructimplementation contract, which makes theStakeManagerProxytemporarily unusable until a newStakeManagerimplementation contract is deployed.Contract: https://etherscan.io/address/0xd6F5c46d4E1a02f9D145cEe41d2F8AF30D8d2d76
The issue was fixed by initializing the
StakeManagerimplementation with a safe contract which doesn’t haveselfdestruct(it has been set to the Matic Token contract). Here is the transaction: https://etherscan.io/tx/0x1986576e99261fdf17ae56f033d9f23fda131fab849ab62dff055205c2e438d0No user funds were in danger of being lost. User funds would have been locked for the duration until the new implementation was deployed. This would have led to a temporary
Denial of Serviceattack on the contract. This vulnerability has been fixed now.No other smart contract is affected. Staking-related functions are currently working as expected, and no further action is required.
To avoid this situation in the future, the team will modify test cases and deployment processes to mitigate this class of scenarios.
Further, the team is working with HackerOne and internal teams to improve the triage and escalation process. We will look into crypto-specific bounty platforms like Immunefi to avoid any delay in communication on the bounty platform.
We would like to thank Ashiq Amien for reporting the vulnerability! Thanks samczsun and Georgios Konstantonopoulos for all the help.
The Polygon Team