Polygon avoids losses worth $850M; pays out $2M for disclosing vulnerability
A Whitehat hacker recently disclosed a critical vulnerability on Polygon, one that could have resulted in losses to the tune of $850 million.
However, the Polygon team was quick to assure the community that no user funds were lost due to the exploit. In fact, in return for “responsibly disclosing the bug,” Polygon revealed that it has extended a bounty of $2 million to Whitehat Gerhard Wagner.
Immunefi, a DeFi bug bounty platform, went on to add that it is the highest bug bounty ever paid out in history.
As promised, we broke another record. @g3rh4rdw4gn3r found a bug in @0xPolygon's plasma bridge that could have resulted in an $850m loss if exploited.
The bounty payout is the largest: $2m.
Bug fixed. Everyone is safe!
A real win for all.https://t.co/1fqd4ul3uO
— Immunefi (@immunefi) October 21, 2021
According to Immunefi, Wagner submitted a bug report earlier this month, one that affected the Polygon Plasma Bridge. A report released by the platform stated,
“The vulnerability allowed an attacker to exit their burn transaction from the bridge multiple times, up to 223 times.”
It was essentially a double-spending bug affecting the ‘Deposit Manager’ on the network. We know that Polygon enables interoperability with the Ethereum blockchain. The security weakness was found in the withdrawal procedure that verifies the burn proof of transactions.
Polygon subsequently fixed the breach in about a week’s time after receiving the report from Immunefi. Apart from the bug bounty, Polygon has also paid a commission to Immunefi for facilitating the bounty program.
What could have happened if the bug was not found earlier?
In case the plug had been delayed, a huge deposit of ETH tokens through the Polygon Bridge could have resubmitted a withdrawal procedure 223 times.
Wagner explained,
“A malicious user can leverage the issue to create alternative exits for the same burn transaction and perform double spends on the Polygon network.”
Here, it is noteworthy that there is a waiting period of seven days before a user can claim back funds to their Ethereum account. Therefore, after the waiting period, a malicious user with an initial deposit of $200,000 can end up receiving an additional $44.6 million for the same transaction.
A point of clarification, however. Polygon offers two bridges – The Plasma bridge and the PoS bridge. The bug was found only in the former protocol.
Lately, Polygon has been seeing tremendous growth in developers. In fact, Alchemy revealed in a recent post that active developers are growing by over 60% every month on average.
Additionally, the month-on-month usage has grown by over 145%, as of October.