Polygon Dodges $850M Hack, Pays Record $2M Bounty

Polygon, a scalability solution for Ethereum, has awarded a $2 million bounty to a white hat hacker after they identified a vulnerability that put about $850 million of capital at risk.

According to the bug bounty and security services platform Immunefi, which hosts Polygon’s bounty program, this is the highest bounty ever paid in the world of decentralized finance (DeFi).

The vulnerability, found by Gerhard Wagner in the Polygon Plasma Bridge on October 5, allowed an attacker to exit their burn transaction from the bridge multiple times—up to 223 times.

Polygon Plasma Bridge is a trustless transaction channel that ensures cross-communication between Polygon (formerly known as Matic) and Ethereum networks, allowing users to move tokens between the two chains.

According to a post mortem shared with Decrypt, having just $100,000 with which to launch an attack, would result in a loss of $22.3 million, or a combined total of approximately $850 million for a full string of attacks.

It took Polygon 30 minutes to begin fixing the issue after the white hat hacker submitted the vulnerability. The bug has since been promptly patched, with no user funds lost.

“We congratulate Gerhard for his fantastic work and excellent report, and appreciate the swift response, subsequent fix, and a fast payout from Polygon,” said Mitchell Amador, founder and CEO of Immunefi.

The entire issue, including the bounty payout and deploying the fix on the mainnet, has been mitigated within one week, said Immunefi.

Polygon launched its bounty program on Immunefi in September as the team sought to eliminate potential security flaws.

The bounty program is essentially an open invitation to white hat hackers to discover and report potential vulnerabilities in Polygon’s smart contracts and decentralized applications (dApps).

Security researchers will be rewarded for their efforts based on Immunefi’s Vulnerability Severity Classification System, which ranks threats according to the severity of the issues they identify. The minimum possible bounty is $1,000 for low-level threats, the maximum—awarded for uncovering critical vulnerabilities like Wagner’s—is $2 million.

“We hope this bounty on Immunefi sets an example for other web 3.0 projects and attracts Giga brains from the white hat security research community to contribute to web 3.0 and make it more resilient from future security threats,” said Jaynti Kanani, co-founder of Polygon.

Previously, the Polygon network has undergone a successful smart contract audit from cybersecurity firm Certik. It currently ranks 18 on Certik’s security leaderboard.