Whitehat hacker detects and discloses critical vulnerability on Polygon, receives $2M bounty

  • Polygon avoided an $850 million worth of losses that could have occurred due to a critical vulnerability on the platform.
  • The Whitehat that detected and disclosed the risks was awarded a $2 million bounty while Immunefi also got commission for facilitating the bounty program. 

Polygon just got lucky from a critical vulnerability which could have led to a loss of up to $850 million for the network. A Whitehat hacker, Gerhard Wagner, discovered and disclosed the vulnerability on the platform, rescuing Polygon from possible losses. Fortunately, the platform did not lose any funds to the exploit, according to the Polygon team. 

Whitehat hacker receives $2M bounty 

In appreciation for “responsibly disclosing the bug,” Polygon said it extended a $2 million bounty to the Whitehat hacker. In addition, the Polygon team also thanked the DeFi bug bounty platform, Immunefi, for facilitating the bug bounty.

Immunefi said in a tweet that it “broke another record.” The DeFi bug bounty platform explained that Wagner found a bug in Polygon’s plasma bridge and, if exploited, could have resulted in losses for the blockchain. The tweet further said that the bounty payout of $2 million is the largest. Immunefi said, “everyone is safe! A real win for all.”

Immunefi revealed that the Whitehat hacker reported a bug that affected the Polygon Plasma Bridge. The critical vulnerability allowed a hacker to exit their burn transactional from the bridge multiple times. In total, the attacker exited their burn transaction 223 times. 

Basically, the problem was a double-spending affecting the “Deposit Manager” on the network. At once, the Immunefi team confirmed the report and communicated it accordingly. Subsequently, Polygon also confirmed the bug and gena working on the underlying issue within 30 minutes. While the Polygon triaging team was fixing the issue, the team also calculated the funds which were at risk, which Wagner confirmed. After then, Polygon agreed to pay the maximum, $2 million, for the submission. 

Immunefi stated:

The whitehat received a payout of $2m from Polygon, which is the highest bounty ever paid out in history. We congratulate Gerhard for his fantastic work and excellent report. We also want to thank Polygon for a swift answer and subsequent fix.

Polygon avoids $850M worth loss 

Polygon was able to sort the issue within a week of receiving the vulnerability report from Immunefi. Within the period, the blockchain tested the fix and deployed the fix onto the mainnet. In addition to paying the whitehat hacker, Polygon also paid a commission to Immunefi.  

If the bug was not found earlier, the Whitehat explained that “ a malicious user can leverage the issue to create alternatives exits for the same burn transaction and perform double spends on the Polygon network.”

The Polygon network has in recent times been recording increases in activities on the platform. Blockchain developer platform Alchemy revealed that the number of active developers on Polygon is growing 2X on a monthly basis. As of October, the monthly usage on the platform has jumped 145 percent. In addition Alchemy revealed:

Another interesting finding – about 40% of projects are using Polygon and Ethereum in parallel, while 60% are building alone suggesting there may be a healthy future for Polygon as both a complement to Ethereum and an ecosystem in its own right.

About Author

Bio: Ibukun Ogundare is a crypto writer and researcher who uses non-complex words to educate her audience. Ibukun is excited about writing and always looks forward to bringing more information to the world.

Comments are closed.