Polygon avoids losses worth $850M; pays out $2M for disclosing vulnerability


A Whitehat hacker recently revealed a critical vulnerability on Polygon, which could have resulted in losses to the tune of $ 850 million.

However, the Polygon team was quick to assure the community that no user funds were lost due to the exploit. In fact, in exchange for “responsible disclosure of the bug,” Polygon revealed that he gave a bounty of $ 2 million to Whitehat Gerhard Wagner.

Immunefi, a DeFi bug bounty platform, went on to add that it is the highest bug bounty ever paid out in history.

According to Immunefi, Wagner submitted a bug report earlier this month, which affected the Polygon Plasma Bridge. A report released by the platform said,

“The vulnerability allowed an attacker to exit their burn transaction from the bridge multiple times, up to 223 times.”

This was basically a double spend bug affecting the “Depot Manager” on the network. We know that Polygon enables interoperability with the Ethereum blockchain. The security hole was found in the withdrawal procedure which checks for proof of transaction burn.

Polygon subsequently fixed the breach in about a week’s time after receiving the report from Immunefi. Besides the bug bounty, Polygon also paid a commission to Immunefi for facilitating the bounty program.

What could have happened if the bug was not found earlier?

In case the plug had been delayed, a huge deposit of ETH tokens through the Polygon Bridge could have resubmitted a withdrawal procedure 223 times.

Wagner explained,

“A malicious user can exploit the problem to create alternate outputs for the same burn transaction and double spend on the Polygon network.”

Here, it is noteworthy that there is a waiting period of seven days before a user can claim back funds to their Ethereum account. Therefore, after the waiting period, a malicious user with an initial deposit of $ 200,000 may end up receiving an additional $ 44.6 million for the same transaction.

A point of clarification, however. Polygon offers two bridges – The Plasma bridge and the PoS bridge. The bug was only found in the old protocol.

Lately, Polygon has been seeing tremendous growth in developers. Indeed, alchemy revealed in a recent article that active developers increase by over 60% each month on average.

Additionally, the month-on-month usage has grown by over 145%, as of October.


Read Previous

First US Bitcoin ETF Approaches Futures Contract Limit Days After Launch

Read Next

Chiliz (CHZ) Review: All You Need to Know

Leave a Reply

Your email address will not be published. Required fields are marked *

Right Menu Icon