Damn… Polygon lack of balance/allowance check fixed. $2.2M payout to whitehat.

Props to Polygon for the rapid response and the wh for the report.

"Whitehat Leon Spacewalker reported a critical vulnerability in Polygon on December 3. The vulnerability consisted of a lack of balance/allowance check in the transfer function of Polygon’s MRC20 contract and would have allowed an attacker to steal all ~9,276,584,332 MATIC (as of December 5, the date of the fix) from that contract. Following the report from Leon Spacewalker, Polygon immediately sprang into action to fix the bug. Immunefi assisted in investigating blockchain activity, validating the fix, and advising the hardfork operation."

Full post mortem below:

Polygon Lack Of Balance Check Bugfix Postmortem — $2.2m Bounty