Polygon avoids $850 million in losses and pays out $2 million for disclosing a vulnerability

A Whitehat hacker recently disclosed a critical vulnerability on Polygon, which could have resulted in $850 million in losses.

The Polygon team, on the other hand, was quick to reassure the community that no user funds were lost as a result of the exploit. In fact, Polygon revealed that it has offered a $2 million bounty to Whitehat Gerhard Wagner in exchange for "responsibly disclosing the bug."

Immunefi, a DeFi bug bounty platform, went on to say that it is the highest bug bounty payment ever made in history.

As promised, we broke another record. @g3rh4rdw4gn3r found a bug in @0xPolygon's plasma bridge that could have resulted in an $850m loss if exploited.

The bounty payout is the largest: $2m.

Bug fixed. Everyone is safe!

A real win for all.https://t.co/1fqd4ul3uO
— Immunefi (@immunefi) October 21, 2021

Wagner, according to Immunefi, reported a bug affecting the Polygon Plasma Bridge earlier this month. According to a report issued by the platform,

“The vulnerability allowed an attacker to exit their burn transaction from the bridge multiple times, up to 223 times.”

It was essentially a double-spending bug that affected the network's 'Deposit Manager.' We already know that Polygon supports Ethereum blockchain interoperability. The security flaw was discovered in the withdrawal procedure, which verifies transaction burn proof.

After receiving the report from Immunefi, Polygon fixed the breach in about a week. Aside from the bug bounty, Polygon has also paid Immunefi a commission for facilitating the bounty program.

What might have happened if the bug had not been discovered sooner?

In the event that the plug was delayed, a large deposit of ETH tokens via the Polygon Bridge could have resubmitted a withdrawal procedure 223 times.

Wagner elaborated,

“A malicious user can leverage the issue to create alternative exits for the same burn transaction and perform double spends on the Polygon network.”

It is worth noting that there is a seven-day waiting period before a user can claim funds back to their Ethereum account. As a result, after the waiting period, a malicious user with a $200,000 initial deposit could end up receiving an additional $44.6 million for the same transaction.

However, there is one point that needs to be clarified. Polygon has two bridges available: the Plasma bridge and the PoS bridge. The bug was only discovered in the previous protocol.

Polygon has recently seen a surge in developer interest. In fact, Alchemy revealed in a recent post that active developers are increasing by more than 60% on average every month.