Polygon Swerves $850M Hack on Ethereum Bridge

The bug could have resulted in $850 million worth of losses.

Key Takeaways

Polygon has patched a critical bug on its Plasma Bridge.

The vulnerability put $850 million at risk, though the issue was resolved before any funds were lost.

Polygon has paid a record $2 million bounty to the hacker who spotted the issue.

Polygon has patched a critical vulnerability that affected its Plasma Bridge.

Polygon Pays $2 Million Bounty

Ethereum sidechain Polygon has patched a critical bug on its Plasma Bridge contract.

A postmortem report from the bug bounty platform Immunefi revealed that it had discovered the issue and it was patched before any hack or funds were lost.

Polygon is the largest sidechain network on Ethereum. It operates the Plasma Bridge, a two-way token gateway that lets users transfer assets from Ethereum mainnet to Polygon and withdraw them back on Ethereum.

Polygon’s Plasma Bridge has a security exit mechanism that involves burning tokens that have been requested to be withdrawn to mainnet. On Oct. 5, the whitehat hacker Gerhard Wagner found a security vulnerability that could let malicious hackers bypass the bridge’s exit mechanism.

The main vulnerability affected WithdrawManager, a specific function in the bridge contract that authenticates burn transaction in previous blocks for withdrawing assets back to Ethereum.

No user funds were lost

Thank you @g3rh4rdw4gn3r for responsibly disclosing the bug, and @immunefi for facilitating the bug bounty of $2,000,000

👷‍♀️Let’s build and make web 3.0 more resilient from such future attacks.

You can read the detailed postmortem of the exploit here 👇 https://t.co/svhfo2cewS

— Polygon | $MATIC (@0xPolygon) October 21, 2021

Wagner reported the vulnerability to Immunefi, which then notified Polygon. Per the Immunefi postmortem, the Polygon team “immediately began fixing the underlying issue” and it was safely patched soon after. The bug was reportedly severe enough that it could have allowed hackers to drain the entire value locked on Plasma Bridge, which was around $850 million at the time.

The Polygon team has rewarded Wagner with $2 million, the highest bounty paid in the crypto space to date.

In a statement shared with Crypto Briefing, Polygon co-founder Jaynti Kanani said that security should not be an afterthought when building the Web 3. Commenting on the issue, Kanani added that Immunefi had helped the Polygon team “connect with security researchers to make the Polygon Proof-of-Stake network more resilient.”

The incident serves as a reminder of security issues with interoperability bridges. As a variety of Layer 1 blockchains have seen explosive growth, bridges have soared in popularity. However, there are major security issues with many bridges, which has led to several attacks in which hackers have exploited vulnerabilities. In one notable incident, $611 million was stolen from a cross-chain bridge service called PolyNetwork. Other cross-chain bridge incidents on pNetwork and Thorchain also suffered multi-million dollar losses in recent months.

Disclosure: At the time of writing, the author of this feature owned ETH.

Disclaimer Read More Read Less

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

Source: cryptobriefing.com