The bug bounty platform Immunefi has revealed that Polygon recently patched a “high severity” vulnerability in the network’s Proof-of-Stake system that put billions of dollars at risk.
Polygon Dodges Critical Hack
Polygon, a Proof-of-Stake sidechain on Ethereum, has patched a “consensus bypass” bug that could have resulted in billions of dollars in losses.
According to an Immunifi bug fix report published Monday, the vulnerability, initially reported by whitehat Niv Yehezkel on Jan. 15, would’ve allowed an attacker to bypass the network’s consensus threshold and “drain all funds from the deposit manager, engage in unlimited withdrawals, DoS [Denial-of-Service attack] and more.”
Yehezkel, who received a $75,000 bounty from Polygon for reporting the bug, said on Twitter today that the vulnerability put billions of dollars at risk.
Excited to share my research on the Polygon to Ethereum PoS bridge, in which I have found a consensus bypass vulnerability that puts billions of dollars at risk. Thank you Immunefi team and Polygon team for the rapid response, professional joint work and quick patching. https://t.co/AKT0HrbWOE
— niv (@invlpgtbl) February 21, 2022
According to Immunifi’s report, the vulnerability affected the Proof-of-Stake system in Polygon’s smart contract on Ethereum. Notably, an attacker would have needed to meet three very specific conditions to exploit the vulnerability. However, meeting the criteria would have allowed them to drain all tokens from the network’s deposit manager.
“After this consensus bypass, the attacker can send malicious checkpoints that fake a withdrawal of tokens from Polygon that basically drains all tokens from the deposit manager, claiming all heimdall fees stored and more,” the report said.
Commenting on the potential severity of the exploit, Immunefi Chief Technology Officer Duncan Townsend told Crypto Briefing that “no money was at risk because the bug was not exploitable at the time of the report.” He also said that he thought the $75,000 reward was “generous” given the severity of the vulnerability.
According to data from Defi Llama, Polygon holds over $4.17 billion in total value locked across its DeFi ecosystem. It’s Ethereum’s most used sidechain, holding more value than Layer 2 networks like Arbitrum and Optimism. Earlier this month, it raised $450 million in an investment round led by the renowned venture capital firm Sequoia.
Polygon has dealt with several similar security incidents in the past. In October, it patched a bug that could have led to an $850 million exploit, paying a $2 million bounty to the whitehat that disclosed it. In December, a hacker stole $1.6 million in MATIC tokens due to another critical bug in the network. Polygon averted a $20 billion crisis by reacting quickly to the incident.
The Polygon team could not be reached for comment at press time. Polygon also opted against sharing details of the bug fix on its communications channels.