Immunefi announced that a researcher named Gerhard Wagner was paid $2 million for a vulnerability affecting the Polygon Technology decentralized finance platform. This is believed to be the highest bug bounty ever paid, Immunefi said, and that's because the flaw put an estimated $850 million worth of cryptocurrency at risk.
The vulnerability was found in one of the bridges between the Polygon and Ethereum blockchains. "A bridge is basically a set of contracts that help in moving assets from the root chain to the child chain," Polygon explains in its docs, and users can tap either the Plasma Bridge or the Proof of Stake Bridge to move their assets.
Plasma Bridge is supposed to be more secure, but Wagner discovered a flaw that could be exploited to withdraw an amount of deposited ETH as Polygon up to 223 times. Here's how Immunefi explained the exploit in its write-up:
- Deposit a large amount of ETH/tokens to Polygon through the Plasma Bridge
- After confirmation of the funds being available on the Polygon, start the Withdrawal process
- Wait for seven days for an exit to be valid
- Resubmit the exit payload but with a modified first byte of the branch mask.
- The same valid transaction can be resubmitted up to 223 times with different values for the first byte of the HP-encoded path.
The good news was that exploiting this vulnerability requires some up-front investment. Immunefi's example showed that someone depositing $100,000 of ETH could withdraw $22.3 million worth of Polygon. Successfully making off with $850 million worth of Polygon would require about $3.8 million worth of ETH first.
Immunefi said Wagner disclosed this vulnerability on October 5 and that it only took Polygon Technology a week to pay the bounty, pay the commission to Immunefi, test a fix meant to address the issue, and deploy that fix to its mainnet. This isn't surprising when you consider that nearly a billion dollars was on the line.
Many companies offer bug bounty programs, and particularly nasty vulnerabilities can be worth quite a bit. Apple pays up to $1 million (opens in new tab) for security flaws on the iPhone, for example, and Google will match that for issues affecting the Pixel Titan M chip. But the vast majority of bug bounty programs offer significantly lower payouts.
Other researchers have been less ethical in revealing flaws with decentralized finance platforms. The Poly Network hacker exemplified this by stealing an estimated $600 million worth of various cryptocurrencies only to return the haul a few days later, after refusing Poly Network's offer of a $500,000 bounty for revealing the flaw.
Wagner made four times as much for showing this kind of theft was possible in the Plasma Bridge than the Poly Network hacker would have for actually stealing $600 million. This might be the rare example of responsible disclosure being more lucrative than exploiting the bug or selling it to a vulnerability broker would've been.
More information about the vulnerability, how it could be exploited, and how Wagner discovered it can be found in his write-up of the process on Medium.