Key Takeaways
Polygon has patched a “high severity” bug that would have allowed an attacker to drain all the funds from the deposit manager contract.
Niv Yehezkel, who discovered and reported the bug, was rewarded $75,000.
He stated on Twitter that the vulnerability put billions of dollars at risk. Immunefi, meanwhile, said that the vulnerability was unexploitable at the time of the report.
Share this article
The bug bounty platform Immunefi has revealed that Polygon recently patched a “high severity” vulnerability in the network’s Proof-of-Stake system that put billions of dollars at risk.
Polygon Dodges Critical Hack
Polygon, a Proof-of-Stake sidechain on Ethereum, has patched a “consensus bypass” bug that could have resulted in billions of dollars in losses.
According to an Immunifi bug fix report published Monday, the vulnerability, initially reported by white hat Niv Yehezkel on Jan. 15, would’ve allowed an attacker to bypass the network’s consensus threshold and “drain all funds from the deposit manager, engage in unlimited withdrawals, DoS [Denial-of-Service attack] and more.”
Yehezkel, who received a $75,000 bounty from Polygon for reporting the bug, said on Twitter today that the vulnerability put billions of dollars at risk.
Excited to share my research on the Polygon to Ethereum PoS bridge, in which I have found a consensus bypass vulnerability that puts billions of dollars at risk. Thank you Immunefi team and Polygon team for the rapid response, professional joint work and quick patching. https://t.co/AKT0HrbWOE
— niv (@invlpgtbl) February 21, 2022
According to Immunifi’s report, the vulnerability affected the Proof-of-Stake system in Polygon’s smart contract on Ethereum. Notably, an attacker would have needed to meet three very specific conditions to exploit the vulnerability. However, meeting the criteria would have allowed them to drain all tokens from the network’s deposit manager.
“After this consensus bypass, the attacker can send malicious checkpoints that fake a withdrawal of tokens from Polygon that basically drains all tokens from the deposit manager, claiming all heimdall fees stored and more,” the report said.
Commenting on the potential severity of the exploit, Immunefi Chief Technology Officer Duncan Townsend told Crypto Briefing that “no money was at risk because the bug was not exploitable at the time of the report.” He also said that he thought the $75,000 reward was “generous” given the severity of the vulnerability.
According to data from Defi Llama, Polygon holds over $4.17 billion in total value locked across its DeFi ecosystem. It’s Ethereum’s most used sidechain, holding more value than Layer 2 networks like Arbitrum and Optimism. Earlier this month, it raised $450 million in an investment round led by the renowned venture capital firm Sequoia.
Polygon has dealt with several similar security incidents in the past. In October, it patched a bug that could have led to an $850 million exploit, paying a $2 million bounty to the white hat that disclosed it. In December, a hacker stole $1.6 million in MATIC tokens due to another critical bug in the network. Polygon averted a $20 billion crisis by reacting quickly to the incident.
The Polygon team could not be reached for comment at press time. Polygon also opted against sharing details of the bug fix on its communications channels.
Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies.
Share this article
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.
