SUMMARY
Gerhard Wagener, a mythX tool builder, discovered a flaw in Polygon’s plasma bridge that put $850 Mn of capital at risk
Polygon’s bug bounty program Immunifie awards bounties between $1,000 and $2 Mn depending on the severity of the vulnerability
Polygon has processed more than 800 Mn transactions and secures assets worth $8 Bn
In one of the highest bounty rewarded in the Decentralised Finance (DeFi) world, India’s Polygon awarded $2 Mn to a white-hat hacker for identifying a vulnerability that would have put $850 Mn worth of assets at risk.
Gerard Wagener, a white-hat hacker and self-proclaimed ‘retired DeFi flashboy’, found a system vulnerability on Polygon’s plasma bridge that is used to communicate and transfer tokens between Ethereum and Polygon. The company was able to fix the vulnerability in just 30 minutes.
This reward comes as part of Polygon’s bug bounty programme on Immuneifi.
Polygon Bug Bounty Programme
This year, Polygon, an Ethereum scaling platform, had announced a bug bounty programme on Immuneify (DeFi bug bounty platform). The programme offers bounties ranging between $1,000 and $2 Mn.
The programme focuses on smart contracts and aims to prevent issues such as — loss of user funds, theft of unclaimed yield and network shutdowns etc.
Rewards are disbursed based on Immuneifi’s vulnerability severity classification system, with a minimum reward of $1,000 will be awarded to security testers uncovering threats classified as ‘low’ severity. The maximum amount of $2 Mn — that Wagener was awarded— goes to those who uncover ‘critical’ threats: deep cryptography flaws or flaws that can be used to empty contract holdings.
The Bug
Bridges are sets of contracts that help in communication between the root chain and a child chain. In this instance, the bridge can be used to move tokens and assets between Etherueum and Polygon. For example, if someone wants to take advantage of fast transaction speeds and low gas fees of the polygon network, they can use bridges to move tokens from Ethereum to Polygon.
There are primarily two bridges that are used to move assets between Ethereum and Polygon — the Proof of Stake (PoS) bridge and the Plasma bridge. In theory, the Plasma bridge provides additional security measures due to the Plasma exit mechanism.
In order to conduct transactions on the Plasma network, the user deposits funds into the bridge contract on level 1 (Ethereum). These tokens are locked on the level and made available on the Plasma network for transactions.
An aggregator called the child chain then bundles all the transactions on the plasma network into blocks and submits checkpoints to level 1. When a user wants to withdraw the funds, the tokens on the Plasma network need to be ‘burned’ (removed from circulation permanently). The user then submits the receipt of this ‘burn transaction’ as proof that the tokens were burnt.
After a ‘challenge period’ of seven days from the submission, the user can withdraw the funds. Gerhard Wagener found a way to launch an attack that could generate 223 alternative exit payloads with the same burn receipt.
This means, with a capital of $100K, a malicious user can gain 223 times the amount — $22.3 Mn — with the potential for losses of up to $850 Mn for users on the network. Right off the bat, a $2 Mn bounty to prevent the loss of $850 Mn seems like an exceptionally well-thought-out investment.
But the ramifications of this bounty programme will reflect on the whole DeFi industry. With platforms providing such a large remuneration to those who can expose its flaws, the best white-hat hackers and security researchers will be drawn to the programme, resulting in a more secure and dependable system in the long run.
DeFi hacks accounted for more than 71% of the major hacks in 2021. According to the Cryptocurrency Crime and Anti-Money Laundering Report by CipherTrace, $361 Mn has been lost to DeFi hacks this year compared to $129 Mn last year.
According to the report, one of the biggest DeFi hacks this year happened on May 19 when the PancakeBunny protocol faced a ‘flash loan exploit’ that drained $45 Mn worth of assets. The exploit was used to manipulate the price of many PancakeSwap pools, which resulted in the minting of 697,000 BUNNY tokens. The hackers sold the coins for Binance coins, causing the price of BUNNY to fall from $146 to $6.
But the developers at Bunny finance didn’t exactly learn their lesson. On the sixteenth of July, the company’s new Polygon blockchain fork PolyBunny was also hit with the same exploit, minting $2.1 Mn worth of PolyBunny and dropping its price from $10 to $2.
The very next month, Poly Network announced the biggest DeFi heist ever: $611 Mn worth of assets were lost from the platform that allowed interoperability between different chains like Bitcoin, Ethereum etc. The attacker stole funds in more than 12 cryptocurrencies, including $273 Mn of Ethereum tokens, $253 Mn in tokens on Binance Smart Chain and $85 Mn in USDC on the Polygon network.
However, within a day, the hackers started transferring the funds back to a wallet controlled by them and Poly Network. The crisis was averted, but a point was made: there is an increasing need for security research in the wild west world of DeFi.
