Polygon ’s Blockchain Hard-Forked Without Warning To Closed-Source Genesis. Why?
What’s going on at Polygon? There seems to be a disturbance in the force over there. Is the Ethereum Layer 2 project alright? Are they doing everything above board or is there something sinister going on? Are they even decentralized if they can hard-fork just like that? Or did they follow the proper procedures and their critics are just uninformed? Can we even answer all of those questions? Probably not. But we can present all the information available and let you all get to your own conclusions.
Are we all supposed to just shut up and forget about the fact that over a week ago Polygon hard-forked their blockchain in the middle of the night with no warning to a completely closed-source genesis and still haven't verified the code or explained what is going on?
— Nathan Worsley (@NathanWorsley_) December 15, 2021
Let’s start with DeFi Builder Nathan Worsley’s accusation. Or is he just requesting information? Worsley recently tweeted, “Are we all supposed to just shut up and forget about the fact that over a week ago Polygon hard-forked their blockchain in the middle of the night with no warning to a completely closed-source genesis and still haven’t verified the code or explained what is going on?”
Related Reading | Polygon: Ethereum’s Friend Is Looking To Make Big Strides
The “middle of the night” part is arguable since everyone is in different timezones and the Polygon blockchain is everywhere. However, he cleared up why the issue is important, “Until the code is verified there are no security guarantees about the billions of dollars in assets the chain currently secures.” And tweeted proof of everything else, “Here’s the commit that was hard-forked into production.”
Here's the commit that was hard-forked into production the middle of the nighthttps://t.co/qMunI4WZxx
— Nathan Worsley (@NathanWorsley_) December 15, 2021
To add credibility to his claim, DeFiance Capital’s Zhu Su joined the chorus asking for answers. “Was this to patch a critical bug? Why and how did this happen?”
Why am I seeing 100x more solana fud than discussion of this? Was this to patch a critical bug? Why and how did this happen? https://t.co/GhY3eTYNtm
— 朱溯 🐂 (@zhusu) December 15, 2021
Polygon Responds And Shows Receipts
The criticism got a response from Polygon’s co-founder Mihailo Bjelic. “We’re making an effort to improve security practices across all Polygon projects,” Bjelic tweeted. “As a part of this effort, we are working with multiple security researcher groups, whitehat hackers etc. One of these partners discovered a vulnerability in one of the recently verified contracts. We immediately introduced a fix and coordinated the upgrade with validators/full node operators. No funds were lost. The network is stable.”
2/2 ..vulnerability in one of the recently verified contracts. We immediately introduced a fix and coordinated the upgrade with validators/full node operators. No funds were lost. The network is stable.
A detailed blog post coming, we are finalizing additional security analyses.
— Mihailo Bjelic (@MihailoBjelic) December 15, 2021
Ok, that sounds reasonable. Bjelic also promised, “A detailed blog post coming, we are finalizing additional security analyses.” A question lingers in the air, though. And crypto enthusiast J. Vicente Correa asks it in the most direct way possible, “U can fork the chain by yourself and take all my funds as u wish?”
Great for the explanatio but u didnt tackled the real problem. U r saying me that u can fork the chain by yourself and take all my funds as u wish?
— JVCHAF (@JVicenteCorrea) December 15, 2021
And Polygon’s Mihailo Bjelic answers in the most political way possible. “Absolutely not. The network is run by validators and full node operators, and we have no control over any of these groups. We just did our best to communicate and explain the importance of this upgrade, but ultimately it was up to them to decide whether they will do it or not.”
Absolutely not.
The network is run by validators and full node operators, and we have no control over any of these groups. We just did our best to communicate and explain the importance of this upgrade, but ultimately it was up to them to decide whether they will do it or not.
— Mihailo Bjelic (@MihailoBjelic) December 15, 2021
Fair enough. However…
MATIC price chart on Poloniex | Source: MATIC/USD on TradingView.com
A Node Operator Has Some Criticism Of His Own
In the same thread, Polygon node operator Mikko Ohtamaa blasted the way the company handled the whole thing and also showed receipts. “Next time it happens can you at least announce a critical update to all Polygon node operators. Now this looks super unprofessional and confusing for the community. It was not mentioned or pinned down in any major channels or publications.”
Next time it happens can you at least announce a critical update to all Polygon node operators. Now this looks super unprofessional and confusing for the community. It was not mentioned or pinned down in any major channels or publications.https://t.co/naAFRIEEfS
— Mikko Ohtamaa (@moo9000) December 15, 2021
He got a response from Polygon’s other co-creator, Sandeep Nailwal. “This was a security update, and hence pre-public-announcement could’ve escalated things.”
Hey Mikko, this was a security update, and hence pre-public-announcement could've escalated things.
— Sandeep AggLayer. polygon 💜 (@sandeepnailwal) December 15, 2021
Ok, that makes sense. However, Ohtamaa had more complaints. “Some bug fixes” for a critical patch is not good. If there is a critical fix you co-ordinate with validators.” Plus, he reinforced Nathan Worsley’s original complaint. “It’s really obvious it is a critical security bug if you do unannounced no notice hard fork in the middle of a weekend.”
It's really obvious it is a critical security bug if you do unannounced no notice hard fork in the middle of a weekend. So do not be dumb and think your users are dumb.
— Mikko Ohtamaa (@moo9000) December 15, 2021
According to Ohtamaa, “there are multiple open source projects out there” that have done similar operations in a more effective manner. Someone asked what could Polygon have done better. He answered with a series of simple steps.
- Prepare the patch privately.
- A few days before, announce a critical security fix is coming. All node operators need to be prepared.
- Distribute the patch at the preset time.
- Not downplay the criticality of the patch and make idiot-looking release notes.
Related Reading | How Polygon Sealed A $400M Deal To Get Ahead In The Ethereum ZK Rollup Race
So, is there something rotten at Polygon? We will have to wait for the “detailed blog post” Bjelic promised to know for sure.
Featured Image by Mae Mu on Unsplash – Charts by TradingView