Cyber Capital founder Justin Bons described Polygon (MATIC) as “highly insecure & centralized,” claiming only five people are needed to compromise over $2 billion in the ecosystem.
1/25) Polygon is still highly insecure & centralized!
It would only take 5 people to compromise over $2B
Adding insult to injury 4 out of these 5 are the Polygon founders!
This is one of the largest hacks just waiting to happen
Reckless & irresponsible, a warning to the wise:
— Justin Bons (@Justin_Bons) August 15, 2022
In an Aug. 15 Twitter thread, Bons said the layer2 protocol is a hack waiting to happen due to its eight-key multi-sig contract.
According to Bons, five keys are needed to compromise the network, and four are held by its founders. Polygon also chose the remaining key holders.
Bons continued that whoever controls the keys can change the rules and do anything within the ecosystem, including an exit scam where they can take all the $2 billion in the Polygon contract.
He also claimed that Polygon has not been transparent in its operation, which further endangers the network. He said:
“It is within the realm of possibility that a single individual already controls the admin key! The use of admin keys, at the very least, requires very high standards of security.”
He said Chris Blec of Defi Watch had formally requested disclosure about the admin key in 2020, but the Polygon team denied the request.
Here is a letter that was sent to Polygon which they’ve called “abusive”. https://t.co/OynPAgETHz
— Chris Blec (@ChrisBlec) February 16, 2022
Bons also criticized Polygon’s transparency report, saying it only justified the multisig and didn’t discuss operational security.
Bons recommended that Polygon should become decentralized by following its state of governance report.
He asked the founders to transfer control of the smart contract admin key to a Polygon DAO composed of those holding the MATIC token.
“This will require a migration over to a new Polygon smart contract. This would be very difficult & costly to do. (But) that is the price we pay for not doing things right, to begin with.”
However, a Twitter user criticized Bons as a paid FUD dropping the same information every six months. Bons had released a similar thread in February that a cofounder of Polygon addressed.
1) youre literally a paid fud dropping the same thread every 6 months lol.
2) Polygon’s solutions adopt ETHs security (zkEVM is a prime example)
3) here is a thread of Polygon themselves talking about thishttps://t.co/EW9mBt3lre
— ⁴⁷ (@0xSigh) August 15, 2022
At the time, cofounder Mihailo Bjelic allayed Bons’ fears about the multisig. According to Bjelic, Polygon is working to remove multisig, and an exit scam is not a realistic concern for the protocol.
1/9 The usage of multisigs has been addressed many times. Mainly for the sake of newcomers, let’s cover the key points once again.
TL;DR: Multisigs are used to increase security, not to decrease it. Polygon is responsibly using them, and we are working towards removing them. https://t.co/vSlSQUaRmX
— Mihailo Bjelic (@MihailoBjelic) February 14, 2022
Meanwhile, despite the issues raised by Bons, the Ethereum-based layer2 network has continued to enjoy massive adoption and uses from institutions.