Earlier this month, a report was submitted to Immunefi regarding a bug that could have resulted in a loss of $850 million if exploited.
Image Source: Google Images
As promised, we broke another record.
@g3rh4rdw4gn3r found a bug in @OxPolygon’s plasma bridge that could have resulted in an $850m loss if exploited.
The bounty payout is the largest: $2m.
Bug fixed. Everyone is safe!
A real win for all.
~Twitter (@immunefi)
Note that Immnefi is the leading security services platform for Decentralized Finance that provides the most significant bounties in the world.
Polygon team, in September 2021, launched the Bug Bounty program on Immunefi with a maximum bounty of $2,000,000. The program's focus was to prevent the loss of users' funds, theft of unclaimed yield, smart contract gas drainage, network shutdown, double spend, censorship, checkpoint manipulation, temporary freezing of funds. These bounties were ranged from $1000 to $2,000,000 depending upon the type of vulnerability.
850 Million Dollars were at the risk of exploitation
On October 5th, a whitehat hacker Gerhard Wagner submitted the report regarding the critical vulnerability in Polygon Plasma Bridge which allowed the attacker to exit the burn transaction from the bridge 223 times. Around $850 Million were at the risk of exploitation, and hence the bridge would have depleted with a considerable amount.
The reason for the bug is said to be not having a complete understanding of the code. The developer must not have understood the code well or might have used the existing building blocks to write the smart contracts.
After that report by Gerhard Wagner, the Immunefi team confirmed the issue and later, Polygon started to fix it. Interestingly, Polygon decided to pay the maximum bounty of $2,000,000 for this submission. This is indeed the highest ever bounty in history.
What does this exploit look like?
Blockchain bridge is a method to connect two blockchains, and Polygon Plasma bridge provides a two-way transaction channel between Ethreuma and Polygon. It is often considered a more secure bridge compared to Polygon's Proof of
Stake bridge because the former uses the exit mechanism.
In this particular case, the user could deposit a large number of tokens to the Polygon via the bridge, and after the confirmation, he can start the withdrawal process. The person has to wait for several days to validate an exit. Now the person could resubmit the exit payout with a modified first byte of branchmask, and that similar valid transaction can be resubmitted with different values for the first byte. This re-submission could be done up to 223 times.
Note that branchmask is a function in the code that keeps the system secure, and its first byte always has to be 0x00.
The vulnerability has now been fixed to ensure that the first byte of the branchmask is always 0x00, and hence, it has prevented the colossal loss of funds.