In response to a potentially costly “double-spend” bug on the Polygon network, white-hat hacker, Gerhard Wagner has earned a $2 million bounty.
Polygon network’s Plasma Bridge was at risk of being hacked by a knowledgeable hacker, according to a blog post published October 21 by Immunefi, a security service that facilitates bug reports in decentralized finance projects.
An attacker could exit their burn transaction from the bridge up to 223 times, quickly converting $4,500 into $1 million profit, according to the project.
The double-spend exploit was reported by Immunefi. It used the Plasma Bridge to deposit Ether (ETH) first, and then to withdraw it after the transaction had been confirmed.
Once the hacker was able to make the first withdrawal, they could resubmit it with the exception of “a modified first byte of the branch mask.” Assuming they had started with $3.8 million, they could have depleted all $850 of the bridge’s deposits.
After Wagner’s initial report on October 5, Polygon agreed to pay the full amount of $2 million for a bug bounty report. Wagner received the funds reported to be “the highest bounty ever in history,” and no user funds were lost as a result of the exploit, according to the platform.
Text – Join +200k plus Nigerian on Nairaex trading crypto using promocode – NAIRAEX2021 and stand the chance to win up to $1000. Click here to get started.
According to Immunefi’s Medium page, Wagner speculated the bug may be related to the fact that “we used someone else’s code without fully understanding what it does.” He added that while the solution was not elegant, it did fix the double-spend exploit.
In September, Alexander Schlindwein, who discovered a vulnerability in Belt Finance’s protocol and received $1.05 million, won the biggest bounty for a white hat hacker.
U.S. officials said they would reward hackers with rewards of up to $10 million if they could pass along information on terrorist suspects, extremists or state-sponsored hackers.