Polygon $850 Million Bug Addressed
The Intelligent Insurer #39 — Bug identified on Immunefi yields hacker $2 million reward
Fast-growing DApp creation platform, Polygon had a close call with a potential $850 million loss due to a vulnerability in their platform. Thanks to a white hat hacker who identified the vulnerability, the Polygon team quickly addressed the bug and rewarded the hacker. Polygon awarded $2 million in bounty rewards to the white hat hacker.
In the latest Intelligent Insurer, we highlight the details of this vulnerability. We also take a look at some of the technical details that opened Polygon to the potential exploit and how investors on the network were exposed. We’ll first highlight the progress we’ve made via our software development update.
Insured Finance software development update
This week, we’re excited to report on progress from our beta tests. We remain steadfast in our commitment to providing our users a safe and fully secure environment. Our private group of testers have been onboarded and had their wallets set up. We have also connected to the tMatic token faucet for further tests.
- We continued work on bridging tokens from ETH’s Goerli testnet to our network.
- We began efforts to have our contracts audited and have reached out to trusted service providers in this regard.
- We continue to stress test our code and improve documentation.
- Over the next week, our focus will be testing the buying and selling coverage functionalities along with running a stablecoin devaluation scenario with our beta testers.
Our Alpha release draws ever closer and we’re excited to deliver a next-gen digital insurance platform for our users. We continue to work on improving the security of our smart contacts both on the front and back-end.
Hacker discovers double-spend vulnerability on Polygon
On Wednesday, October 5th, 2021, white hat hacker and security consultant Gerhard Wagner discovered a vulnerability in the Polygon Plasma Bridge that could be exploited by an attacker. Reportedly, he was intrigued by Polygon’s network after learning of the launch of its bug bounty program in September 2021 on Immunefi.
A scalability solution for Ethereum, Polygon facilitates cross-communication between its network and Ethereum through the Polygon Plasma Bridge. This is a trustless channel that allows users to move tokens between the two chains. While the technicalities are complex, they’re worth exploring to highlight how deeply the bug was hidden.
To initiate a transaction on the Plasma Bridge, a user deposits funds into the bridge contract, with the tokens locked in the Plasma network. Following this, a series of workflows occur to confirm that the tokens have been transferred by the user from one chain to another. Upon successful confirmation, users need to “burn” their tokens on the Plasma chain and present a receipt as proof of this having occurred before exiting the Bridge.
Wagner identified a bug that could allow Polygon network users to exit their burn transaction on the Plasma Bridge up to 223 times. In a detailed report, Wagner outlined that each burn transaction must ideally have one receipt or exit ID. The problem on Polygon was that the exit ID contained an element that depended on user input, a serious vulnerability.
Malicious users could potentially create an alternative mask, thereby generating multiple exit IDs for the same burn transaction. Therefore, with a capital of $100,000, a user could have withdrawn up to $22.3 million. With enough capital, a malicious user could have drained the DepositManagerProxy contract, which contains around $1 billion in funds.
Polygon escapes security hack and embarrassment
Wagner reported the identified vulnerability to the Polygon team which swiftly moved into action and patched it. A hard coding protocol that rejects encoding not beginning with “0x00” was deployed as an immediate fix to avoid double-spending. Wagner pointed out that this wasn’t a hard fix but it prevents a serious situation from developing in the short term.
Even the most respected and biggest blockchain networks like Polygon can still have vulnerabilities that expose their users. It highlights how sophisticated DeFi vulnerabilities are and why digital asset insurance like Insured Finance are needed. Polygon’s Co-Founder Jaynti Kanani hopes that this bounty will set an example for other white hat hackers to contribute to the security of DeFi platforms.
About Insured Finance
Insured Finance is a decentralized, peer-to-peer insurance marketplace. Users can request customized insurance on a wide variety of digital assets, thereby ensuring full protection. Those fulfilling requests can earn premiums and earn a competitive return on their capital. Claims are fully collateralized and settled instantly.