News Update

Polygon awarded highest-ever bounty of $2 Mn to a white hat hacker for outing fatal flaw

• ByStartupStory     |    October 23, 2021

 Polygon, Ethereum scaling solution, awarded $2 million, the largest bounty in DeFi history, to a  hacker. This is  

 Gerhard Wagner’s award for discovering a vulnerability in the Polygon Plasma Bridge on October 5. Polygon’s total exposure was projected to be $850,000, so he definitely deserved every penny of the bonus. 

 White hackers are the good guys in computer security, otherwise known as ethical hackers. Basically, they use their skills to detect vulnerabilities in the system and then approve them to fix them instead of exploiting them. 

 The Polygon Plasma Bridge is an important aspect of the network as it supports the interoperability between Polygon and Ethereum. Basically, this reliable transaction channel allows users to move tokens between the two chains. 

 The vulnerability allowed an attacker to close the bridge burn transaction multiple times, up to 223 times. To illustrate the magnitude of this problem, having just $100,000  to launch an attack would result in a  $22.3 million loss. Thus, a full round of attacks would result in total damage of approximately $850 million. 

 Polygon certainly dodged a bullet thanks to Wagner’s good work. 

 After Wagner submitted his report, Polygon acted quickly. In just 30 minutes, the network started to fix the problem. Fortunately, the bug was quickly fixed without any damage or impact on user money. 

 Polygon launched its bounty program on Immunefi in September as the team attempted to eliminate potential vulnerabilities. The company is the leading platform for security and bug bounty services in the DeFi space. Currently, it is responsible for protecting $50 billion in user funds. 

 Essentially, a bounty program, also known as a vulnerability reward program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting bugs and issues. Projects often run bug bounty programs in addition to internal code audits and penetration testing. 

 In the case of Polygon, security researchers will be rewarded for their efforts based on Immunefi’s vulnerability severity rating system. Basically, it’s how the platform ranks threats based on the severity of the issues. The lowest possible payout is $1,000, while critical issues, such as in Wagner’s case, warrant a $1 million reward. 

 Jaynti Kanani, the co-founder of Polygon, invites other platforms to adopt their approach. He said: “We hope this bounty on Immunefi serves as an example for another Web 3.0 project and attracts the Giga brains of the white hat security research community to contribute to Web 3.0 and make it more resilient to future threats from the security.” 

 Polygon’s foresight saved them from what could have been a catastrophic situation. Exchanges and platforms are losing their shirts due to vulnerabilities at this level. Two weeks ago, OpenSea patched vulnerabilities in its platform that allowed hackers to steal someone’s crypto after sending them a maliciously crafted NFT. Security firm CheckPoint Research discovered the issue after users started complaining on Twitter.

Follow Startup Story