Polygon’s team has paid a record bounty of $2 million to white hat hacker Gerhard Wagner for discovering a critical vulnerability that had put around $850 million of capital at risk. Gerhard’s discovery identified a potential “double-spend” bug on Polygon’s Network that could have turned out to become a costly affair.
According to Immunefi, a bug bounty and security platform that also hosts Polygon’s bounty program, this is the highest bounty to be paid in DeFi.
The Vulnerability
Immunefi, a firm that facilitates bug reports in Decentralized Finance, put up a blog post stating Polygon’s Plasma Bridge was at risk of having around $850 million stolen by a competent enough hacker. Immunefi reported that using the vulnerability. Hackers would be able to exit their burn transaction from the Plasma Bridge up to 223 times. This could potentially turn a few thousand dollars into millions.
How It Worked
Immunefi also described how the exploit worked, with the attacker deploying Ether (ETH) through the Plasma Bridge. Once the transaction is confirmed, the attacker can start withdrawing, then wait for a week and re-submit the same set of withdrawals, with a minor change in the “first byte of the branch mask.”
In this scenario, if the attacker had deposited $3.8 million, they could have withdrawn the entire $850 million of user funds available with the bridge’s deposit manager.
Polygon Swings Into Action
Once Wagner Submitted the vulnerability, Polygon was quick to begin fixing the issue, acknowledging it, and starting the fix within 30 minutes. Polygon’s quick response to Wagner’s findings ensured that no user funds were compromised or lost, with the issue having been resolved seamlessly.
Founder and CEO of Immunefi, Mitchell Amador, commented on Gerhard’s findings and also congratulated him, stating,
“We congratulate Gerhard for his fantastic work and excellent report and appreciate the swift response, subsequent fix, and a fast payout from Polygon.”
The Largest Payout
For its part, Polygon also agreed to pay out its maximum mount for a bug report, paying Wagner $2 million, which is the highest bounty to be paid in DeFi to date. According to Wagner, the bug could have occurred due to the “use of someone else’s code and not having a 100% understanding of what it does.” He also added that while the solution was not very elegant, it was able to fix the double-spend loophole.
Before the latest $2 million payout, the previous largest bounty for a white hacker was sent to Alexander Sclindwein, who had discovered a critical vulnerability in Belt Finance’s protocol, and was rewarded $1.05 million.
Polygon’s Bounty Program
Polygon’s bounty program was launched in September on Immunefi, with the team looking to weed out security flaws on the protocol. Polygon’s bounty program invites white hat hackers to look for potential vulnerabilities in Polygon’s smart contracts and decentralized applications.
White hat hackers and security researchers are rewarded according to the severity of the threat they report and the issues they identify. This is calculated by using the Vulnerability Severity Classification System that allows Immuniefi to rank threats according to their severity. Low-level threats have a minimum bounty of $1000, while higher-level threats such as the critical vulnerability discovered by Wagner can go up to $2 million.
Co-founder of Polygon, Jayanti Kanani, commented on the bounty program, stating,
“We hope this bounty on Immunefi sets an example for other web 3.0 projects and attracts Giga brains from the white hat security research community to contribute to web 3.0 and make it more resilient from future security threats.”
Polygon has also undergone a complete audit for its smart contracts from cybersecurity firm Certik.
