Polygon White Hat Awarded $75,000 to Save Billions in User Funds

Key receivers

Polygon posted a “maximum weight” that allowed the attacker to withdraw all funds from the deposit manager's contract. Nev Yezkel, who discovered and reported the error, was awarded $75,000. He tweeted that the vulnerability put billions of dollars at risk. Imunefi said the vulnerability was not exploitable at the time of the report.

Share this article

Bug bounty platform Immunefi says Polygon recently covered a “high-profile” vulnerability in its network's authentication system that put billions of dollars at risk.

Polygon Dodges Critical Uhu

Polygon, the proof-of-stake sidechain on Ethereum, has fixed a “consensus bypass” bug that could have caused billions of dollars in losses.

According to Immunifi bug fixes Report Published Monday, the vulnerability, first reported on January 15 by White Hat's Niv Yehezkel, allows an attacker to bypass the network's consensus limits and “take all funds from the deposit manager, participate in unlimited withdrawals, DoS [Denial-of-Service attack] and others.”

Yezkel, who received a $75,000 reward from Polygon for reporting the bug, said in a tweet today that the vulnerability put billions of dollars at risk.

I'm excited to share my research on the Polygon to Ethereum PoS bridge, where I discovered a consensus vulnerability that put billions of dollars at risk. Thank you to the Immunefi team and the Polygon team for their quick response, professional teamwork and speedy repairs.

— niv (@invlpgtbl) February 21, 2022

According to Immunifi, the vulnerability affected the authentication system of Polygon's smart contract on Ethereum. Specifically, an attacker would need to meet three specific conditions to exploit the vulnerability. However, meeting the requirements will allow them to withdraw all tokens from the network's deposit manager.

“After this consensus pass, the attacker can send malicious probes denying the withdrawal of tokens from Polygon, essentially draining all tokens from the deposit manager and demanding all Himdal fees and more,” the report said.

Commenting on the severity of the exploit, Iminefi's Chief Technology Officer Duncan Townsend told Crypto Briefing that “no funds were at risk at the time of the report because the bug was not exploitable at the time of the report.” He also said he thought the $75,000 award was “generous” given the weight of the exposure.

According to data from Diffie Llama, Polygon holds more than $4.17 billion in total value locked up in the Diffie ecosystem. It is the most used sidechain of Ethereum, with more value than Layer 2 networks like Arbitrum and Optimism. Earlier this month, it raised $450 million in an investment round led by prominent venture capital firm Sequoia.

Polygon has dealt with several similar security issues in the past. In October, he approached a possible error 850 million dollars Exploitation, paying a $2 million bounty to the White Hat who revealed it. In December, a hacker stole $1.6 million in MATIC tokens due to another critical bug in the network. Polygon's quick response to the crisis averted a $20 billion crisis.

The Polygon team could not be reached for comment at press time. Polygon also chooses to share bug fix details on its communication channels.

Disclosure: At the time of writing this article, the author of this feature owns ETH and several other cryptocurrencies.

Share this article