Skip to main content

Polygon network infrastructure security

Polygon Labs has developed network infrastructure through smart contracts that transfer assets to and from the Ethereum blockchain for both the Polygon PoS network and the Polygon zkEVM scaling solution. This infrastructure uses a lock-and-mint architecture, which results in assets being locked by the smart contract implementations. Security practices applied to network infrastructure include risk management, secure software development, auditing, vulnerability management, CI/CD controls, onchain monitoring, and bug bounties.

Monitoring

Onchain infrastructure is monitored for real-time events to supplement application security efforts associated with software development, including threat modeling, code auditing, supply-chain risk management, and bug bounties. Real-time monitoring includes onchain machine learning models to detect unknown threats, as well as rule-based algorithms to capture known adversarial or error scenarios. The monitoring infrastructure was developed in-house and through vendors as needed to extend capabilities in specific analysis areas. Adverse events detected by the models and tools are evaluated, triaged, and escalated to the appropriate team when necessary. The monitoring process is integrated with the enterprise incident response process.

Multisig security

Polygon Labs employees who are signers on multisig contracts must follow specific requirements. Multisigs consist of Safes (previously Gnosis Safes) and other smart contract multisig implementations. Signer requirements:
  • Hardware wallet: Polygon Labs requires cold storage from an accepted vendor, dedicated for company official use only and secured by a PIN.
  • Hot wallets: Hot wallets are not permitted on Polygon Labs’ multisigs.
  • Corporate workstation: Signing must be performed from a company system managed by the enterprise mobile device management (MDM) platform, with anti-virus (AV) and endpoint detection and response (EDR) in place.
  • Clean key: All signers must create a clean key that has never been exposed to a hot wallet.
  • Mnemonic storage: Polygon Labs mandates secure storage of mnemonic passphrases and provides guidance to its employees.
  • Secure communication: All multisig signing events are coordinated using Polygon Labs’ accepted communication protocols for multisigs.
All corporate multisigs are monitored 24/7 by the Polygon security team.