Polygon pays $2M bounty on bug which could have compromised $850M in user funds
White hat hacker Gerhard Wagner has earned $2 million after reporting a solution to a potentially costly “double-spend” bug on the Polygon network.
In an Oct. 21 blog post from Immunefi, a security service that helps facilitate bug reports in decentralized finance projects, Polygon network’s Plasma Bridge was at risk of having $850 million removed by a knowledgeable hacker. According to the project, the vulnerability would have allowed attackers to exit their burn transaction from the bridge up to 223 times, quickly turning an amount like $4,500 into $1 million profi.
Immunefi reported the double-spend exploit worked by first depositing Ether (ETH) through the Plasma Bridge and starting the withdrawal process after the transaction was confirmed. A hacker could then wait a week and resubmit the same withdrawals with the exception of “a modified first byte of the branch mask.” Provided the hacker was able to begin with $3.8 million, they could have potentially depleted all $850 funds from the bridge’s deposit manager at the time.
Polygon agreed to pay its maximum amount for a bug bounty report — $2 million — following Wagner’s initial report on Oct. 5. According to the platform, the bug has already been deployed on the mainnet after testing, Wagner has received the funds, claimed to be “the highest bounty ever paid out in history,” and no user funds were lost with the exploit.
Wagner speculated on his Medium page that the bug might be due to “using someone else’s code and not having a 100% understanding of what it does.” He added the solution was “not very elegant” but did fix the double-spend exploit.
Before this latest $2 million payout, the largest bounty for a white hat hacker had gone towards programmer Alexander Schlindwein, who in September discovered a vulnerability in Belt Finance’s protocol and was awarded $1.05 million. However, the U.S. Department of State may topple that record if a hacker is able pass on information on terrorist suspects, extremists and state-sponsored hackers — the government said it would be offering rewards of up to $10 million.