Polygon pays record $2m bounty for discovered bug

The Polygon protocol team paid a white-hat hacker $2 million for a vulnerability that could have caused an $850 million loss. According to bug-bounty platform Immunefi, the payout was the largest in DeFi history.

The project launched its bug bounty program in September, and security researcher Gerhard Wagner drew attention to it. He noted that Polygon relies on Plasma protection to secure transactions between its networks and Ethereum, a system that, in his view, is hard to implement reliably.

Transferring funds between the layer-1 network and Polygon provides a channel for Plasma Bridge transactions. Wagner discovered a vulnerability that would have allowed repeating a single valid withdrawal up to 223 times (a double spend).

The potential attack would have required the attacker to deposit a certain initial amount, but it pales in comparison to the potential gain, the expert emphasized. For example, by depositing tokens worth $100,000 and repeating withdrawals to the maximum possible number of times, the hacker could have pocketed $22.3 million.

The total value of assets under threat stood at $850 million.

Wagner discovered the bug on October 5; Immunefi’s diagnostics team confirmed the issue and passed the information to the client. Polygon’s developers also confirmed the vulnerability and moved promptly to fix it.

Immunefi said the entire process, including crafting the fix, testing, deploying on mainnet, as well as paying the bounty to the white-hacker and platform fees, took a week.

Polygon agreed to pay Wagner the maximum bounty under the program.

Earlier, white-hat hacker Sam San helped identify and fix a vulnerability in the DeFi project SushiSwap, which threatened a loss of $350 million.