Polygon, a red-hot smart contracts platform and L2 decentralized finances hub, shares the details of the largest possible hack in DeFi history.
How to make $850 million resubmitting Polygon transactions
According to the official post-mortem released by Immunefi, a multi-product bug bounty platform, in early October 2021, white-hat hacker Gerhard Wagner submitted a bug report to Polygon (MATIC).
As promised, we broke another record. @g3rh4rdw4gn3r found a bug in @0xPolygon's plasma bridge that could have resulted in an $850m loss if exploited.— Immunefi (@immunefi) October 21, 2021
The bounty payout is the largest: $2m.
Bug fixed. Everyone is safe!
A real win for all.https://t.co/1fqd4ul3uO
According to this report, the flaw in Polygon's scaling solution, Plasma, allowed it to resubmit the burn transaction multiple times. The malefactor could send the withdrawn requests to Polygon again and again, up to 223 times.
To compromise Polygon Plasma Bridge, an attacker needed to just slightly modify some technical parameters of transactional data, i.e., the "first byte of the branch mask."
Given the aggregated amount of funds locked in the Deposit Manager Proxy of the bridge, more than $850 million of users' funds were at risk.
Largest threat, largest bounty
As such, Polygon could have been targeted by the largest attack in the history of DeFi segment: the current "leader," Poly Network, suffered from a $611 million exploit.
The Polygon team awarded the largest bug bounty bonus ever to Mr. Wagner, $2,000,000 plus the commission of the Immunefi platform. The team responded to Immunefi's report in 30 minutes and confirmed the bug.
The team stressed that no users' funds are at risk as of now, and this white-hat hack should be a lesson for DeFi apps:
No user funds were lost (...) Let's build and make web 3.0 more resilient from such future attacks.