The “white hacker” discovered a critical vulnerability in the second level solution of Polygon, which could lead to losses of $ 850 million. The project paid him a record reward of $ 2 million.
About the vulnerability found and the payment of the reward
reported researchers of the Immunefi vulnerability detection platform. On October 5, cybersecurity specialist Gerhard Wagner discovered a serious bug in the Plasma Bridge.
Potentially, attackers could conduct a double-spend attack, creating alternative exits for the same transaction, which would allow them to withdraw assets from the network up to 223 times. For example, if a hacker had deposited $ 100,000 worth of tokens to carry out an attack and withdraw them as many times as possible, Polygon’s losses could have amounted to $ 22.3 million.
The Immunefi diagnostic team confirmed the problem and reported it to the Polygon project, after which the developers immediately began to resolve the problem. The total value of the assets at risk was $ 850 million. However, the Polygon team
assured users on Twitter that their funds are safe. Hackers did not have time to take advantage of the vulnerability, and it was promptly fixed.
It took one week to test the patch and deploy it to the mainnet, and to pay the white hacker bounty and commissions to the Immunefi platform. Wagner received $ 2 million under Polygon’s bug-finding program, the largest bug-finding reward in DeFi history.
Recall that this month, Polygon developers have increased commissions 30 times to combat junk transactions. It turned out that the reason for this was hidden in arbitrage bots that “spam” transactions to increase profits.