• Polygon Avoids a $850M Hack by Paying a Record $2M Bounty

  • Polygon, an Ethereum scalability solution, has awarded a $2 million bounty to a white hat hacker who discovered a vulnerability that put $850 million in capital at risk.

    According to Immunefi, the platform that hosts Polygon’s bounty program, this is the highest bounty ever paid in the world of decentralized finance (DeFi).

    Gerhard Wagner discovered the vulnerability in the Polygon Plasma Bridge on October 5, allowing an attacker to exit their burn transaction from the bridge up to 223 times.

    Mark Cuban invests in Polygon, an Ethereum scaling solution.

    Polygon Plasma Bridge is a trustless transaction channel that allows users to move tokens between the Polygon (formerly known as Matic) and Ethereum networks.

    According to a post mortem shared with Decrypt, having just $100,000 to launch an attack would result in a loss of $22.3 million, or a total loss of around $850 million for a full string of attacks.

    After the white hat hacker submitted the vulnerability, it took Polygon 30 minutes to start fixing the problem. The bug was quickly fixed, and no user funds were lost as a result.

    “We congratulate Gerhard on his fantastic work and excellent report, and we appreciate Polygon’s quick response, subsequent fix, and quick payout,” said Mitchell Amador, Immunefi’s founder and CEO.

    According to Immunefi, the entire issue, including the bounty payout and the deployment of the fix on the mainnet, was resolved in one week.

    The Polygon Bounty Program

    Polygon launched its bounty program on Immunefi in September to address potential security flaws.

    The bounty program is essentially an open invitation to white hat hackers to find and report potential flaws in Polygon’s smart contracts and decentralized applications (dApps).

    Immunefi’s Vulnerability Severity Classification System, which ranks threats based on the severity of the issues they identify, will be used to reward security researchers for their efforts. The minimum reward for low-level threats is $1,000, and the maximum reward is $2 million for discovering critical vulnerabilities like Wagner’s.

    “We hope that this bounty on Immunefi serves as a model for other web 3.0 projects and attracts Giga brains from the white hat security research community to contribute to web 3.0 and make it more resilient to future security threats,” said Polygon co-founder Jaynti Kanani.

    Previously, the Polygon network passed a smart contract audit performed by cybersecurity firm Certik. Certik’s security leaderboard currently places it at number 18.

    What's your reaction?