Connect with us
Active Currencies 14309
Market Cap $2,532,560,031,454.30
Bitcoin Share 51.63%
24h Market Cap Change $1.08

Polygon avoids losses worth $850M; pays out $2M for disclosing vulnerability

2min Read

Share this article

A Whitehat hacker recently disclosed a critical vulnerability on Polygon, one that could have resulted in losses to the tune of $850 million.

However, the Polygon team was quick to assure the community that no user funds were lost due to the exploit. In fact, in return for “responsibly disclosing the bug,” Polygon revealed that it has extended a bounty of $2 million to Whitehat Gerhard Wagner.

Immunefi, a DeFi bug bounty platform, went on to add that it is the highest bug bounty ever paid out in history.

According to Immunefi, Wagner submitted a bug report earlier this month, one that affected the Polygon Plasma Bridge. A report released by the platform stated,

“The vulnerability allowed an attacker to exit their burn transaction from the bridge multiple times, up to 223 times.”

It was essentially a double-spending bug affecting the ‘Deposit Manager’ on the network. We know that Polygon enables interoperability with the Ethereum blockchain. The security weakness was found in the withdrawal procedure that verifies the burn proof of transactions.

Polygon subsequently fixed the breach in about a week’s time after receiving the report from Immunefi. Apart from the bug bounty, Polygon has also paid a commission to Immunefi for facilitating the bounty program.

What could have happened if the bug was not found earlier?

In case the plug had been delayed, a huge deposit of ETH tokens through the Polygon Bridge could have resubmitted a withdrawal procedure 223 times.

Wagner explained,

“A malicious user can leverage the issue to create alternative exits for the same burn transaction and perform double spends on the Polygon network.”

Here, it is noteworthy that there is a waiting period of seven days before a user can claim back funds to their Ethereum account. Therefore, after the waiting period, a malicious user with an initial deposit of $200,000 can end up receiving an additional $44.6 million for the same transaction.

A point of clarification, however. Polygon offers two bridges – The Plasma bridge and the PoS bridge. The bug was found only in the former protocol.

Lately, Polygon has been seeing tremendous growth in developers. In fact, Alchemy revealed in a recent post that active developers are growing by over 60% every month on average.

Additionally, the month-on-month usage has grown by over 145%, as of October.


Shraddha is a full-time journalist at AMBCrypto. She has a keen interest in personal finance and wealth generation. Her primary focus is on the cryptocurrency space's applications for investment vehicles and portfolios
Read the best crypto stories of the day in less than 5 minutes
Subscribe to get it daily in your inbox.
Please check the format of your first name and/or email address.

Thank you for subscribing to Unhashed.