Polygon White Hat Rewarded $75,000 for Saving Billions in User Funds

Thanks to a white hat hacker's help, Polygon has patched a critical network vulnerability that put billions of dollars at risk. The white hat was paid $75,000 for his services.

Polygon White Hat Rewarded $75,000 for Saving Billions in User Funds
Shutterstock cover by eamesBot

Key Takeaways

  • Polygon has patched a "high severity" bug that would have allowed an attacker to drain all the funds from the deposit manager contract.
  • Niv Yehezkel, who discovered and reported the bug, was rewarded $75,000.
  • He stated on Twitter that the vulnerability put billions of dollars at risk. Immunefi, meanwhile, said that the vulnerability was unexploitable at the time of the report.

Share this article

The bug bounty platform Immunefi has revealed that Polygon recently patched a “high severity” vulnerability in the network’s Proof-of-Stake system that put billions of dollars at risk.

Polygon Dodges Critical Hack

Polygon, a Proof-of-Stake sidechain on Ethereum, has patched a “consensus bypass” bug that could have resulted in billions of dollars in losses.

According to an Immunifi bug fix report published Monday, the vulnerability, initially reported by white hat Niv Yehezkel on Jan. 15, would’ve allowed an attacker to bypass the network’s consensus threshold and “drain all funds from the deposit manager, engage in unlimited withdrawals, DoS [Denial-of-Service attack] and more.”

Yehezkel, who received a $75,000 bounty from Polygon for reporting the bug, said on Twitter today that the vulnerability put billions of dollars at risk.

According to Immunifi’s report, the vulnerability affected the Proof-of-Stake system in Polygon’s smart contract on Ethereum. Notably, an attacker would have needed to meet three very specific conditions to exploit the vulnerability. However, meeting the criteria would have allowed them to drain all tokens from the network’s deposit manager. 

“After this consensus bypass, the attacker can send malicious checkpoints that fake a withdrawal of tokens from Polygon that basically drains all tokens from the deposit manager, claiming all heimdall fees stored and more,” the report said.

Commenting on the potential severity of the exploit, Immunefi Chief Technology Officer Duncan Townsend told Crypto Briefing that “no money was at risk because the bug was not exploitable at the time of the report.” He also said that he thought the $75,000 reward was “generous” given the severity of the vulnerability.

According to data from Defi Llama, Polygon holds over $4.17 billion in total value locked across its DeFi ecosystem. It’s Ethereum’s most used sidechain, holding more value than Layer 2 networks like Arbitrum and Optimism. Earlier this month, it raised $450 million in an investment round led by the renowned venture capital firm Sequoia.

Polygon has dealt with several similar security incidents in the past. In October, it patched a bug that could have led to an $850 million exploit, paying a $2 million bounty to the white hat that disclosed it. In December, a hacker stole $1.6 million in MATIC tokens due to another critical bug in the network. Polygon averted a $20 billion crisis by reacting quickly to the incident. 

The Polygon team could not be reached for comment at press time. Polygon also opted against sharing details of the bug fix on its communications channels.

Disclosure: At the time of writing, the author of this feature owned ETH and several other cryptocurrencies. 

Share this article