You are reading an excerpt from our free but shortened abridged report! While still packed with incredible research and data, for just $20/month you can upgrade to our FULL library of 50+ reports (including this one) and complete industry-leading analysis on the top crypto assets. 

Becoming a Premium member means enjoying all the perks of a Basic membership PLUS:

• Full-length CORE Reports: More technical, in-depth research, actionable insights, and potential market alpha for serious crypto users
• Early access to future CORE ratings: Being early is sometimes just as important as being right!
• Premium Member CORE+ Reports: Coverage on the top issues pertaining to crypto users like bridge security, layer two solutions, DeFi plays, and more
• CORE report Audio playback: Don’t want to read? No problem! Listen on the go.

Limitations of a Layer 1 Blockchain

The PoS chain has seen the most adoption out of the entire suite of Polygon’s products by far. One vulnerability is that the PoS chain is not an L2, but rather a monolithic L1 chain that's bound by the same inefficiencies that other L1 blockchains also see. The PoS chain has previously had to raise its minimum gas floor as a result of reaching its usage limits and being spammed by projects. In one example, in the case of block 15798851, the block is 99.99% full.

Example block is 99.99% full, Source: medium.com\stakingbits

While sidechains occasionally submit commits or "checkpoints" to the L1, Ethereum doesn't verify every sidechain transaction. Instead, Polygon’s state is maintained/updated according to its own consensus method. Ethereum doesn't confirm that these state changes are authentic. Consequently, similar to other L1 platforms, sidechains are almost universally more centralized and less reliable than Ethereum.

Generally speaking, the more decentralized a blockchain’s decision-making, development, and governance, the more resistant it is to censorship, downtime, and transaction reversals. While an imperfect measure, the accessibility of becoming a validator and the overall number of validators in the network serve as a good proxy for decentralization.

Sidechains feature much fewer validator nodes compared to Ethereum. Therefore, fewer entities would need to cooperate (or be forced to collude by an external player) to freeze/sabotage the network for profit. Currently, 100 validators participate in consensus on Polygon's PoS chain compared to over 400,000 on Ethereum's Beacon Chain.

However, security assurances for sidechains vary based on their specific conditions. For instance, Polygon is a commit chain in which its validator set is permissionless (i.e., in theory, anybody can participate in its consensus), and stake is maintained at Ethereum L1. In the worst-case scenario, this means the malicious validators can have their funds slashed on the L1 and the L1 community can hard fork the chain to return the chain to its prior state before the incident. The degree to which various Polygon scaling projects inherit Ethereum’s security varies as seen in the image below.

The degree to which Polygon's scaling projects inherit Ethereum's security, Source: twitter.com\Justin_Bons

Multi-sig Vulnerabilities and Team Centralization Concerns

The most controversial and potentially most damaging area of concern for the Polygon PoS chain revolves around the multi-sig keys in charge of all the funds on chain. 

Multi-signature (AKA multi-sig) is a type of security model and digital signature scheme that requires users to provide multiple keys to authorize access to or transact with secure digital assets. Such a transaction must be signed by a threshold of participants to be valid, similar to how some legal or financial documents require a co-signer or multiple authorizations across different mediums. The wallet owner can decide how many signatures are required for a transaction to be valid.

Multi-signature, Source: medium.com\1kxnetwork

Multi-signature schemes have numerous benefits, including dividing up responsibility for possession of a digital asset among multiple people, heightened security by eliminating a single point of failure, and a wallet recovery solution in case of someone loses their private key. The primary benefit is that security is shared among numerous individuals. Even if your computer and hardware wallet are stolen, you’re still safe because other actors are needed to move funds if properly set up. Your crypto will remain secure even if your seed phrase is hacked, akin to a safe deposit box that requires multiple keys. Along the same lines, it's imperative that anyone with multi-sig duties understands the significance of private keys/seed phrases and can be relied upon with this responsibility.

Polygon is secured by simply a 5-of-8 multisig (four of which are run by the team). This means only five people need to collude or be compromised to steal funds. The Polygon Twitter account alleged that the multi-sig does apparently have the power to upgrade the MATIC staking contract, which is a critical piece of Polygon’s network security.

Chris Blec of DeFi Watch raised concerns in May of 2021 regarding the multi-sig centralization concerns of Polygon, while billions of dollars in TVL already existed on the chain, which the team did not clarify, despite requests to do so at the time. 

Following the public complaint, the Polygon team stated that a multi-sig key scheme is common for early crypto projects and even necessary to enact future upgrades. They added their intentions to migrate to more optimum designs in the future, but no date was given. 

The total power wielded by the Polygon team due to the multi-sig reappeared again in December 2021 when the multi-sig holders implemented a hard fork (to fix a bug) with nearly no discussion or vote with the community. 

A notable example of a major vulnerability that exemplifies potential issues with multi-sig was seen in the $625 million Ronin hack of March 2022. Ronin used a multi-sig system to sign off deposits and withdrawals to the protocol. Ronin’s multi-sig required nine authorized wallets to sign the transaction for it to be executed, but in this case, four of the nine multi-sig keys were held by Sky Mavis, a centralized entity. 

The hacker was able to get access to the centralized server where these keys were stored and, therefore, only needed one more multi-sig to authorize any transaction within the protocol. The proper use of multi-sig to avoid such a hack vector would involve each nine keys being owned and controlled by nine fully separate entities or individuals.

Recently, Polygon Co-Founder Beljic commented in February 2022 that the team is working its way to remove the multi-sig contract in response to claims that alleged that it would only take five people to compromise the $5 billion sitting on the network.

Network Congestion, Reliability, and Re-Orgs

The Polygon team has openly acknowledged the limitations that exist therein and is a major factor in why the protocol pivoted towards rollup solutions in 2022. However, there have still been examples of notable Polygon downtime. The most recent instance of this was in March of 2022 when the PoS chain suffered a multi-hour outage due to a flaw introduced by an upgrade of Bor, Polygon's block production layer. When the network goes offline, users can’t execute transactions on the sidechain and are temporarily unable to withdraw assets to the L1.

The March 2022 outage did not affect user funds or data. However, many users were affected by this downtime on the Polygon PoS chain, most notably on OpenSea, where wallet balances did not update and caused delays in transacting NFTs. 

The month prior, transactions on Polygon were halted due to an outage with the gas station, and prior to that, another issue involved errors in gas estimation that resulted in users being unable to transact using NFTs on the network for several days.

The Polygon team’s focus beyond the PoS chain is to focus on the development, acquisition and scaling of ZK-rollups technology, which will enable higher scalability and throughput than even the PoS chain, which for now functions as an imperfect alternative of sorts.

Aside from validators, settlement assurances/finality are another critical measurement for all blockchains. 

Because the Polygon PoS chain is designed to scale by adding more parallel sidechains and regularly combining state through a commitment to Ethereum, it opens itself up to latency/finality issues. Multiple, parallel sidechains mean two distinct users of the same dApp could exist on separate sidechains. This means users are subjected to the latency of the state merging between chains. Since you can't securely consider a transaction "final" until the block height reaches a particular level, scaling Polygon in this manner may also increase the danger of a blockchain experiencing a "re-org" (where transactions are wiped back).

A chain reorganization (or "reorg") occurs when a validator receives blocks from a new "longer" version of the chain (greater difficulty). The validator node will then disregard/deactivate blocks in its previous highest chain in favor of blocks that construct the new highest chain. This impacts transactional finality, which can cause headaches for users. Reorgs undermine an application's confidence that its transactions are part of the canonical chain version. To circumvent this, programs must await more block confirmations.

Reorgs can (and do) occur in any chain with probabilistic finality (Nakamoto Consensus protocols, such as Bitcoin and Ethereum), as opposed to deterministic (Tendermint protocols, such as Cosmos). Polygon PoS is probabilistic, meaning that finality is eventual and often reliant on the number of confirmations piled on top of the block containing your transaction. There's no guarantee that your transaction will be confirmed.

Polygon’s PoS chain routinely undergoes chain reorganizations in which previously validated transactions are "dropped" from the blockchain's history. On L1 blockchains, such as Ethereum, reorganizations occur frequently, but they're typically negligible in size and have negligible effects on users. In contrast, reorganizations on Polygon's PoS chain date back hundreds of blocks, weakening trust in the security and irreversibility of transactions conducted on its PoS chain.

In a typical industry scenario, a Bitcoin Network transaction is declared "final" after six to 12 block confirmations. On Polygon PoS chains, it's recommended that apps wait about 50 or more blocks to feel certain about transaction finality. It’s all based on how much economic security one needs to feel confident their transaction/block will not be reorganized.

In January 2023, the Polygon team announced a new hard fork proposed to address some of the reorg issues that have affected the PoS chain to date. Post-hard fork, the “sprint distance” will be lessened, meaning any one block producer will produce fewer consecutive blocks in a row and for significantly less time than the current 128 seconds. This will significantly reduce the frequency and depth of reorganizations. This has no effect on the total time/number of blocks a validator produces during a period, and as a result, the rewards will not change. While the technical justification for the upgrade seem above board, a spotlight should be shown on how this hard fork came to pass. The proposal began in December, meaning there was only ~one month from vote to implementation. This is incredibly hasty for a protocol worth billions. Additionally, the proposal was passed with less than 20 total entities voting. The embarrassing voter turnout as well as the speed to which this was pushed through highlights the shortcomings of Polygon as a truly robust, decentralized network.

ImmuneFi Exploit Discovery

According to ImmuneFi, there was also a consensus bypass vulnerability discovered in the Polygon PoS chain smart contract on Ethereum. This bug would have allowed an attacker to decrease the total staking power, allowing a consensus bypass (⅔ threshold) that would have allowed an attacker to drain all funds from the deposit manager, engage in unlimited withdrawal, DoS, and perform more malicious actions. The attacker could then lower the total staking power up to such a low point that a sole validator would be able to pass the majority check and from there, send malicious checkpoints that fake a withdrawal of tokens from Polygon that drains all tokens from the deposit manager and more. 

This is a severe exploit, and luckily it was found by a white hat party. A fix was deployed on the Matic GitHub repository by adding a check to update the total staking power only if the validator didn’t unstake, which fixed the vulnerability.

Read the entire FREE report here.