{"id":51588,"date":"2021-10-21T18:36:53","date_gmt":"2021-10-21T15:36:53","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=51588"},"modified":"2025-09-03T00:27:50","modified_gmt":"2025-09-02T21:27:50","slug":"polygon-pays-record-2m-bounty-for-discovered-bug","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/polygon-pays-record-2m-bounty-for-discovered-bug\/","title":{"rendered":"Polygon pays record $2m bounty for discovered bug"},"content":{"rendered":"<p>The Polygon protocol team paid a white-hat hacker $2 million for a vulnerability that could have caused an $850 million loss. According to bug-bounty platform Immunefi, the payout was the largest in DeFi history.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">As promised, we broke another record. <a href=\"https:\/\/twitter.com\/g3rh4rdw4gn3r?ref_src=twsrc%5Etfw\">@g3rh4rdw4gn3r<\/a> found a bug in <a href=\"https:\/\/twitter.com\/0xPolygon?ref_src=twsrc%5Etfw\">@0xPolygon<\/a>&#8216;s plasma bridge that could have resulted in an $850m loss if exploited. <\/p>\n<p>The bounty payout is the largest: $2m. <\/p>\n<p>Bug fixed. Everyone is safe! <\/p>\n<p>A real win for all.<a href=\"https:\/\/t.co\/1fqd4ul3uO\">https:\/\/t.co\/1fqd4ul3uO<\/a><\/p>\n<p>\u2014 Immunefi (@immunefi) <a href=\"https:\/\/twitter.com\/immunefi\/status\/1451172696243511299?ref_src=twsrc%5Etfw\">October 21, 2021<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/figure>\n<p>The project launched its bug bounty program in September, and security researcher Gerhard Wagner drew attention to it. He noted that Polygon relies on Plasma protection to secure transactions between its networks and Ethereum, a system that, in his view, is hard to implement reliably.<\/p>\n<p>Transferring funds between the layer-1 network and Polygon provides a channel for Plasma Bridge transactions. Wagner discovered a vulnerability that would have allowed repeating a single valid withdrawal up to 223 times (a double spend).<\/p>\n<p>The potential attack would have required the attacker to deposit a certain initial amount, but it pales in comparison to the potential gain, the expert emphasized. For example, by depositing tokens worth $100,000 and repeating withdrawals to the maximum possible number of times, the hacker could have pocketed $22.3 million.<\/p>\n<p>The total value of assets under threat stood at $850 million.<\/p>\n<p>Wagner discovered the bug on October 5; Immunefi&#8217;s diagnostics team confirmed the issue and passed the information to the client. Polygon&#8217;s developers also confirmed the vulnerability and moved promptly to fix it.<\/p>\n<p>Immunefi said the entire process, including crafting the fix, testing, deploying on mainnet, as well as paying the bounty to the white-hacker and platform fees, took a week.<\/p>\n<p>Polygon agreed to pay Wagner the maximum bounty under the program.<\/p>\n<p>Earlier, white-hat hacker Sam San helped identify and fix a vulnerability in the DeFi project SushiSwap, which <a href=\"https:\/\/forklog.com\/en\/news\/white-hat-hacker-foils-350m-theft-in-sushiswap-defi-project\">threatened a loss of $350 million<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Polygon protocol team paid a white-hat hacker $2 million for a vulnerability that could have caused an $850 million loss. According to bug-bounty platform Immunefi, the payout was the largest in DeFi history.<\/p>\n","protected":false},"author":1,"featured_media":51589,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1607,1264,1195],"class_list":["post-51588","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-bounty","tag-polygon-matic","tag-white-hat-hackers"],"aioseo_notices":[],"amp_enabled":true,"views":"37","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/51588","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=51588"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/51588\/revisions"}],"predecessor-version":[{"id":51590,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/51588\/revisions\/51590"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/51589"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=51588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=51588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=51588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}