- Polygon has granted a $2 million reward to a white hat hacker who found a major vulnerability.
According to Immunefi, this is the highest bounty ever given in DeFi. Gerhard Wagner discovered the vulnerability in the Polygon Plasma Bridge on October 5, which allows an attacker to exit their burn transaction from the bridge up to 223 times.
According to a post-mortem report provided by Immunefi, having just $100,000 to begin an attack would result in a loss of $22.3 million. Total amount at risk was ~$850M. The main flaw affected
WithdrawManager, a function in the bridge contract that authenticates burn transactions in prior blocks in order to withdraw assets back to Ethereum.
It took Polygon network 30 minutes to start addressing the problem. The issue was quickly fixed, and no user funds were lost.
“We congratulate Gerhard for his fantastic work and excellent report, and appreciate the swift response, subsequent fix, and a fast payout from Polygon” said Mitchell Amador, founder of Immunefi.
“The entire issue, including the bounty payout and deploying the fix on the mainnet, has been mitigated within one week” said Immunefi team.
“We hope this bounty on Immunefi sets an example for other web 3.0 projects and attracts Giga brains from the white hat security research community to contribute to web 3.0 and make it more resilient from future security threats” said Jaynti Kanani, co-founder of Polygon.