Is Polygon safu? Critics: Multisig isn’t secure enough, $5B in jeopardy

Polygon is possibly the astir fashionable alternate to transacting straight connected the Ethereum baselayer (L1), giving users the accidental to bash accelerated transactions with debased fees. Polygon (MATIC) is champion known arsenic a alleged side-chain to Ethereum, i.e. an Ethereum Virtual Machine (EVM) compatible blockchain moving its ain acceptable of validator nodes. However, the Polygon squad has besides invested heavy successful axenic Layer-2 technology, and provides services specified arsenic the zk-STARKs based Miden scaling solution.

Of course, with occurrence comes the work to safeguard each the funds that users are pouring into the network. In a tweet thread, Justin Bons, Founder & CIO of Cyber Capital, accuses the Polygon squad of employing lax information measures, chiefly astir the Polygon astute declaration multisig declaration which controls the Polygon astute declaration admin key. This key, successful turn, controls implicit $5 cardinal of funds, according to Bons.

1/14) Polygon successful its existent authorities is insecure & centralized!

It would lone instrumentality 5 radical to compromise implicit $5B!

4 of those radical are the founders of Poly!

This is 1 of the largest hacks oregon exit scams conscionable waiting to happen

Reckless & irresponsible, a informing to the wise:

— Justin Bons (@Justin_Bons) February 12, 2022

“Polygon successful its existent authorities is insecure and centralized! It would lone instrumentality 5 radical to compromise implicit $5 billion! Four of those radical are the founders of Polygon! This is 1 of the largest hacks oregon exit scams conscionable waiting to happen,” Bons tweets

“The Polygon squad tin summation implicit power implicit Polygon”

“The Polygon astute declaration admin cardinal is controlled by a 5 retired of 8 multi-signature contract. This means that the Polygon [team] tin summation implicit power implicit Polygon with lone 1 of the 4 extracurricular parties conspiring. The different 4 parties successful the multisig were besides selected by Polygon,” Bons continues.

According to Bons, this besides means that these 4 different parties “are not precisely impartial.” Control implicit the declaration admin cardinal equals the powerfulness to alteration the rules. At which constituent “anything becomes possible.” Including emptying retired the full Polygon contract.

Some critique is besides pointed astatine Polygon’s alleged deficiency of transparency. This is not the archetypal clip Polygon’s alleged opaqueness is connected the table. Chris Blec astatine DeFi Watch antecedently sent a request to the Polygon squad asking for clarity. According to some Bons and Blec, Polygon did not reply Blec’s request.

However, the Polygon squad is not each soundless connected the substance arsenic questions of this benignant person arisen before. The squad has antecedently published a multisig transparency study to bring clarity to the matter. In a effect to Bons’ tweet, Mihailo Bjelic, co-founder of Polygon, indirectly confirms the multisig worries arsenic Polygon is “working towards removing them”. The multisig was implemented astatine an “early phase” and is seemingly not an perfect solution arsenic the strategy grows.

1/9 The usage of multisigs has been addressed galore times. Mainly for the involvement of newcomers, let's screen the cardinal points erstwhile again.

TL;DR: Multisigs are utilized to summation security, not to alteration it. Polygon is responsibly utilizing them, and we are moving towards removing them. https://t.co/vSlSQUaRmX

— Mihailo Bjelic (@MihailoBjelic) February 14, 2022

“They [multisigs] are considered the optimal attack to unafraid idiosyncratic funds successful the aboriginal phases of improvement and are utilized by astir each scaling and bridging project.”

Bjelic points to the transparency study detailing the “plan to amended and yet region multisigs.” Bjelic past addresses immoderate of the points successful Bons’ tweet.

“Exit scam is not a realistic interest for Polygon”

According to BjelicI, an exit scam is not a realistic interest for Polygon; multisigs are utilized to support users from hacks, and Polygon is utilizing the multisig the mode it does due to the fact that they are being responsible, contrary to the accusations.

As per Bons’ critique, a 5 retired of 8 multisig is “wholefully insufficient” for protecting arsenic overmuch arsenic $5 cardinal of funds, and that 4 of those 8 multisigs were “given” to extracurricular parties selected by Polygon. To Bons, this whitethorn represent a hazard of collusion.

According to BjelicI, however, the extracurricular parties are “reputable Ethereum/Polygon projects and were not selected by Polygon, they decided to participate.”

“The much signers, the harder it is to coordinate them successful lawsuit an contiguous absorption is required. We are trying to find the close equilibrium here; we already person much signers than astir of the different scaling projects,” BjelicI replies.

Here’s what Polygon should do

In his tweets, Bons besides shares immoderate proposal with the Polygon team.

In Bons’ opinion, Polygon has to decentralize their ain governance based connected the Matic token holders. Currently, this is inactive acold excessively centralized pursuing a DPoS (Delegated Proof of Stake) exemplary with a debased fig of validators. According to data from the Polygon artifact explorer Plygonscan, lone 4 validators mined a bulk of the blocks the past 7 days.

Once Polygon has decentralized their governance. They volition person to transportation the astute declaration admin cardinal to the Matic token holders, Bons suggests. Effectively turning power implicit to the “Matic DAO”. This would astir apt necessitate a migration implicit to a caller Polygon Smart contract.

“This would evidently beryllium precise hard and costly to do. However, that is the terms to wage for not doing things right, to statesman with. It is the terms we wage for decentralization and the information that comes on with that. This is what cryptocurrency should beryllium each about,” Bons tweets.

In his reply, BjelicI says that the suggested solution “is decidedly our goal, arsenic described successful the transparency report. However, this volition summation the absorption clip successful lawsuit of a bug, truthful it volition beryllium implemented and activated gradually.”

CryptoSlate has reached retired to Polygon for comments, but received nary answers astatine the clip of writing. Some of the quotes person been edited for clarity.