General

# Polygon pays $2M bounty on bug which could have compromised $850M in user funds

# Polygon pays $2M bounty on bug which could have compromised $850M in user funds

White hat hacker Gerhard Wagner has earned $2 million after reporting a solution to a potentially costly “double-spend” bug on the Polygon network.

In an Oct. 21 blog post from Immunefi, a security service that helps facilitate bug reports in decentralized finance projects, Polygon network’s Plasma Bridge was at risk of having $850 million removed by a knowledgeable hacker. According to the project, the vulnerability would have allowed attackers to exit their burn transaction from the bridge up to 223 times, quickly turning an amount like $4,500 into $1 million profi.

Immunefi reported the double-spend exploit worked by first depositing Ether (ETH) through the Plasma Bridge and starting the withdrawal process after the transaction was confirmed. A hacker could then wait a week and resubmit the same withdrawals with the exception of “a modified first byte of the branch mask.” Provided the hacker was able to begin with $3.8 million, they could have potentially depleted all $850 funds from the bridge’s deposit manager at the time.

Polygon agreed to pay its maximum amount for a bug bounty report — $2 million — following Wagner’s initial report on Oct. 5. According to the platform, the bug has already been deployed on the mainnet after testing, Wagner has received the funds, claimed to be “the highest bounty ever paid out in history,” and no user funds were lost with the exploit.

Wagner speculated on his Medium page that the bug might be due to “using someone else’s code and not having a 100% understanding of what it does.” He added the solution was “not very elegant” but did fix the double-spend exploit.

Related: White hat hacker paid DeFi’s largest reported bounty fee

Before this latest $2 million payout, the largest bounty for a white hat hacker had gone towards programmer Alexander Schlindwein, who in September discovered a vulnerability in Belt Finance’s protocol and was awarded $1.05 million. However, the U.S. Department of State may topple that record if a hacker is able pass on information on terrorist suspects, extremists and state-sponsored hackers — the government said it would be offering rewards of up to $10 million.

If you liked the article, do not forget to share it with your friends. Follow us on Google News too, click on the star and choose us from your favorites.

For forums sites go to Forum.BuradaBiliyorum.Com

If you want to read more News articles, you can visit our General category.

Source

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close

Please allow ads on our site

Please consider supporting us by disabling your ad blocker!