Main navigation

With $850 Million at Risk, Polygon (MATIC) Paid Largest Bug Bounty in History

News
Fri, 10/22/2021 - 15:21
article image
Vladislav Sopov
White-hat hacker receives $2 million for disclosing the most "expensive" bug in DeFi so far
With $850 Million at Risk, Polygon (MATIC) Paid Largest Bug Bounty in History
Cover image via stock.adobe.com
Read U.TODAY on
Google News
Contents

Polygon, a red-hot smart contracts platform and L2 decentralized finances hub, shares the details of the largest possible hack in DeFi history.

How to make $850 million resubmitting Polygon transactions

According to the official post-mortem released by Immunefi, a multi-product bug bounty platform, in early October 2021, white-hat hacker Gerhard Wagner submitted a bug report to Polygon (MATIC).

According to this report, the flaw in Polygon's scaling solution, Plasma, allowed it to resubmit the burn transaction multiple times. The malefactor could send the withdrawn requests to Polygon again and again, up to 223 times.

To compromise Polygon Plasma Bridge, an attacker needed to just slightly modify some technical parameters of transactional data, i.e., the "first byte of the branch mask."

Given the aggregated amount of funds locked in the Deposit Manager Proxy of the bridge, more than $850 million of users' funds were at risk.

Largest threat, largest bounty

As such, Polygon could have been targeted by the largest attack in the history of DeFi segment: the current "leader," Poly Network, suffered from a $611 million exploit.

Related
Poly Network Hacker May Receive Advisor Position in Project: See the Offer

The Polygon team awarded the largest bug bounty bonus ever to Mr. Wagner, $2,000,000 plus the commission of the Immunefi platform. The team responded to Immunefi's report in 30 minutes and confirmed the bug.

The team stressed that no users' funds are at risk as of now, and this white-hat hack should be a lesson for DeFi apps:

No user funds were lost (...) Let's build and make web 3.0 more resilient from such future attacks.

article image
About the author

Blockchain Analyst & Writer with scientific background. 6+ years in IT-analytics, 3+ years in blockchain.

Worked in independent analysis as well as in start-ups (Swap.online, Monoreto, Attic Lab etc.)