Polygon Technology Pays $2M Bug Bounty to Protect $850M Crypto Fund
The platform used to disclose the bug said this is the highest bounty ever paid for a vulnerability
Immunefi announced that a researcher named Gerhard Wagner was paid $2 million for a vulnerability affecting the Polygon Technology decentralized finance platform. This is believed to be the highest bug bounty ever paid, Immunefi said, and that's because the flaw put an estimated $850 million worth of cryptocurrency at risk.
The vulnerability was found in one of the bridges between the Polygon and Ethereum blockchains. "A bridge is basically a set of contracts that help in moving assets from the root chain to the child chain," Polygon explains in its docs, and users can tap either the Plasma Bridge or the Proof of Stake Bridge to move their assets.
Plasma Bridge is supposed to be more secure, but Wagner discovered a flaw that could be exploited to withdraw an amount of deposited ETH as Polygon up to 223 times. Here's how Immunefi explained the exploit in its write-up:
- Deposit a large amount of ETH/tokens to Polygon through the Plasma Bridge
- After confirmation of the funds being available on the Polygon, start the Withdrawal process
- Wait for seven days for an exit to be valid
- Resubmit the exit payload but with a modified first byte of the branch mask.
- The same valid transaction can be resubmitted up to 223 times with different values for the first byte of the HP-encoded path.
- Profit
The good news was that exploiting this vulnerability requires some up-front investment. Immunefi's example showed that someone depositing $100,000 of ETH could withdraw $22.3 million worth of Polygon. Successfully making off with $850 million worth of Polygon would require about $3.8 million worth of ETH first.
Immunefi said Wagner disclosed this vulnerability on October 5 and that it only took Polygon Technology a week to pay the bounty, pay the commission to Immunefi, test a fix meant to address the issue, and deploy that fix to its mainnet. This isn't surprising when you consider that nearly a billion dollars was on the line.
Many companies offer bug bounty programs, and particularly nasty vulnerabilities can be worth quite a bit. Apple pays up to $1 million for security flaws on the iPhone, for example, and Google will match that for issues affecting the Pixel Titan M chip. But the vast majority of bug bounty programs offer significantly lower payouts.
Other researchers have been less ethical in revealing flaws with decentralized finance platforms. The Poly Network hacker exemplified this by stealing an estimated $600 million worth of various cryptocurrencies only to return the haul a few days later, after refusing Poly Network's offer of a $500,000 bounty for revealing the flaw.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Wagner made four times as much for showing this kind of theft was possible in the Plasma Bridge than the Poly Network hacker would have for actually stealing $600 million. This might be the rare example of responsible disclosure being more lucrative than exploiting the bug or selling it to a vulnerability broker would've been.
More information about the vulnerability, how it could be exploited, and how Wagner discovered it can be found in his write-up of the process on Medium.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
-
GenericUser Successfully making off with $850 million worth of Polygon would require about $3.8 million worth of ETH first.
I'm not exactly sure if he had nearly 4 million in crypto based capital laying around in order to actually act on this exploit. -
derekullo
They way I'm reading it is he could start with "a large amount of eth/tokens" this might be 1 Eth or 100 Eth.GenericUser said:I'm not exactly sure if he had nearly 4 million in crypto based capital laying around in order to actually act on this exploit.
Then he does his magic and withdraws his original amount 223 times.
The only bottleneck is the 7 day wait period and how confident you are that you wont get caught during that period.
Day 1
Deposit 1 Eth
Day 7
Withdraw 223 Eth
Deposit 223 Eth (Absolute baller move to use your stolen eth to steal more eth from the same company!)
Day 14
Withdraw 49729 Eth
Buy Pagani Huayra
Day 15
Convince IRS agents that a stranger randomly gifted you $203M worth of Eth -
cryoburner This might be the rare example of responsible disclosure being more lucrative than exploiting the bug or selling it to a vulnerability broker would've been.
How do we know this wasn't a ransom to not release or exploit the vulnerability before they had a fix? >_>