Polygon, a scalability solution for the Ethereum network, gave a $2 million reward to a hacker who discovered a vulnerability that had put $850 million of capital at risk.
According to Immunefi, security services and “bug bounty” platform and responsible for Polygon’s rewards program, this was the highest paid reward in the world of Decentralized Finance (DeFi).
The vulnerability, found by Gerhard Wagner at the Polygon Plasma Bridge on October 5, allowed a hacker to enter and exit the bridge 223 times.
Polygon Plasma Bridge is a trustless transaction channel that ensures communication between Polygon (formerly known as Matic) and the Ethereum networks, allowing tokens to be moved between the two blockchains.
According to a post-mortem statement shared with Decrypt, an attack launched with just $100,000 would result in a loss of $22.3 million or a combined total of approximately $850 million for a series of attacks.
It took Polygon 30 minutes to start fixing the issue after Wagner reported the vulnerability. The bug has been fixed and no user backgrounds are affected.
“We congratulate Gerhard on his outstanding work and excellent report and appreciate his quick response, immediate correction and prompt payment for Polygon,” said Mitchell Amador, Founder and CEO of Immunefi.
Polygon’s “Bug-hunting” Program
In September, the Polygon team released the program for the team to eliminate potential security holes.
Basically, the bug-hunting program is an open invitation for “good hackers” (or “white-hat hackers” in English) to discover and report vulnerabilities in Polygon’s autonomous contracts and decentralized applications (dapps).
Security researchers will be rewarded for their efforts based on Immunefi’s Severity and Vulnerability Rating System, which ranks threats according to the severity of identified issues.
The minimum possible reward is $1,000 for low-level threats while the maximum is $2 million, awarded to those who discover critical vulnerabilities, just as Wagner discovered.
“We hope this reward at Immunefi will set an example for other Web 3.0 projects and attract bright minds from the security research community for ‘good hackers’ and make it [o setor] more resilient to future security threats,” said Jaynti Kanani, co-founder of Polygon.
Previously, the Polygon network had successfully audited its standalone contracts by cybersecurity firm Certik. Polygon is currently ranked 17th on Certik’s security panel.
*Translated and edited by Daniela Pereira do Nascimento with permission from Decrypt.co.