Polygon pays $2M bounty on bug which could have compromised $850M in user funds

Published at: Oct. 22, 2021

White hat hacker Gerhard Wagner has earned $2 million after reporting a solution to a potentially costly “double-spend” bug on the Polygon network.

In an Oct. 21 blog post from Immunefi, a security service that helps facilitate bug reports in decentralized finance projects, Polygon network’s Plasma Bridge was at risk of having $850 million removed by a knowledgeable hacker. According to the project, the vulnerability would have allowed attackers to exit their burn transaction from the bridge up to 223 times, quickly turning an amount like $4,500 into $1 million profi.

Immunefi reported the double-spend exploit worked by first depositing Ether (ETH) through the Plasma Bridge and starting the withdrawal process after the transaction was confirmed. A hacker could then wait a week and resubmit the same withdrawals with the exception of "a modified first byte of the branch mask." Provided the hacker was able to begin with $3.8 million, they could have potentially depleted all $850 funds from the bridge’s deposit manager at the time.

Polygon agreed to pay its maximum amount for a bug bounty report — $2 million — following Wagner’s initial report on Oct. 5. According to the platform, the bug has already been deployed on the mainnet after testing, Wagner has received the funds, claimed to be “the highest bounty ever paid out in history,” and no user funds were lost with the exploit.

Wagner speculated on his Medium page that the bug might be due to “using someone else’s code and not having a 100% understanding of what it does.” He added the solution was “not very elegant” but did fix the double-spend exploit.

Related: White hat hacker paid DeFi’s largest reported bounty fee

Before this latest $2 million payout, the largest bounty for a white hat hacker had gone towards programmer Alexander Schlindwein, who in September discovered a vulnerability in Belt Finance’s protocol and was awarded $1.05 million. However, the U.S. Department of State may topple that record if a hacker is able pass on information on terrorist suspects, extremists and state-sponsored hackers — the government said it would be offering rewards of up to $10 million.

Tags
Related Posts
Poly Network hacker returns nearly all funds, refuses $500K white hat bounty
The hacker behind a $610 million attack on the cross-chain decentralized finance (DeFi) protocol Poly Network has returned almost all of the stolen funds amid the project saying their actions constituted “white hat behavior.” According to a Thursday update on the attack from Poly Network, all of the $610 million in funds taken in an exploit that used "a vulnerability between contract calls” have now been transferred to a multisig wallet controlled by the project and the hacker. The only remaining tokens are the roughly $33 million in Tether (USDT), which were frozen immediately following news of the attack. The …
Business / Aug. 12, 2021
Hackers stole at least $600M in Poly exploit across three chains
In what may be the largest attack in decentralized finance, or DeFi, unknown hackers used an exploit on cross-chain protocol Poly Network to remove at least $600 million from three chains. According to a Tuesday update on Twitter, Poly Network said the attacks had removed assets from Binance Chain, Ethereum and the Polygon network. Blockchain data from the respective networks shows the hackers stole roughly $273 million from Ethereum, $85 million in USD Coin (USDC) from the Polygon network, and $253 million from the Binance Smart Chain. Poly also reported renBTC, wrapped Bitcoin (WBTC), and wrapped Ether (WETH) were involved …
Business / Aug. 10, 2021
Poly Network hacker returns $258M, conducts AMA on how it went down
The Poly Network hacker has now returned $258 million to the cross-chain decentralized finance (DeFi) protocol and conducted a question-and-answer session detailing how the initial hack went down. In what is being described as the largest DeFi hack to date, the Poly Network suffered a $612-million exploit on Tuesday that saw the hacker steal assets from Ethereum, Binance Chain and the Polygon Network. Tom Robinson, the chief scientist at blockchain analytics firm Elliptic, told Forbes on Wednesday that the hacker has now returned roughly $258 million worth of funds to Poly so far — with $342 million yet to be …
Business / Aug. 12, 2021
Velodrome recovers $350K stolen funds from team member Gabagool
Velodrome Finance, a trading and liquidity marketplace, announced the recovery of $350,000 stolen on Aug. 4. However, the occasion turned bittersweet when internal investigations pointed out the involvement of a prominent team member, who goes by the pseudo name Gabagool. On Aug. 4, one of Velodrome’s high-worth wallets — dedicated for operating funds such as salaries — was drained off $350,000 before it could be transferred to the company’s treasury multisig wallet. A subsequent internal investigation revealed the attacker’s identification, which allowed the company to recover the entire loot. Velodrome’s official statement revealed: “Much to our disappointment, we learned the …
Blockchain / Aug. 14, 2022
Ethereum advances with standards for smart contract security audits
The Ethereum ecosystem continues to witness a flurry of activity that has individuals and organizations deploying token contracts, adding liquidity to pools and deploying smart contracts to support a wide range of business models. While notable, this growth has also been riddled with security exploits, leaving decentralized finance (DeFi) protocols vulnerable to hacks and scams. For instance, recent findings from crypto intelligence firm Chainalysis show that crypto-related hacks have increased by 58.3% from the beginning of the year through July 2022. The report further notes that $1.9 billion has been lost to hacks during this timeframe — a figure that …
Adoption / Aug. 22, 2022