Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Earns $2 Million for Critical Vulnerability in Polygon

Security researcher Gerhard Wagner earned a $2 million bug bounty reward for a critical vulnerability in Polygon’s Plasma Bridge that could have allowed a malicious user to submit the same withdrawal transaction 224 times, with different exit IDs.

Security researcher Gerhard Wagner earned a $2 million bug bounty reward for a critical vulnerability in Polygon’s Plasma Bridge that could have allowed a malicious user to submit the same withdrawal transaction 224 times, with different exit IDs.

Specifically, a user could deposit a specific amount to the Polygon Plasma Bridge, withdraw the entire sum, and then submit the same withdrawal transaction an additional 223 times, each time receiving the full amount. Basically, one could deposit $1 million and withdraw $224 million.

With the DepositManager for the Plasma Bridge holding roughly $850 million in total, an attacker could have depleted the entire amount using multiple fraudulent transactions.

Polygon’s solution has been designed to provide a blockchain bridge – a method of connecting two distinct blockchains –, creating a two-way transaction channel that enables users to move assets from the root chain (Ethereum) to the child chain (Polygon).

A user looking to withdraw assets from Polygon initiates the transaction on the network and, after a specific set of checks are performed and the transaction approved, the user needs to wait for seven days before being able to withdraw the funds to their Ethereum account.

The withdrawal starts with burning tokens on the child chain. After the burn is confirmed, an initial checkpoint (30 minutes) follows and the exit payload is passed to the withdraw function (in Polygon Plasma). The user can proceed with the exit only if the burn transaction is successful and valid and if proof has been included in the root chain.

What Wagner discovered was that the manner in which Polygon’s WithdrawManager checks inclusion and uniqueness of the burn transaction was flawed.

The issue was found in the function that checks Merkle proof’s branchMask for the burn transaction receipt (a security guard included in the exit proof, which was supposed to be unique to the transaction) and existed because some values and differences were ignored during a decoding operation, thus allowing for the same proof to be replayed, because of differences in the decoding.

In the end, the white hat hacker discovered that the security error allowed for a total of 224 ways of decoding the same path, meaning that a malicious user could essentially create 224 exit IDs for the same withdraw transaction.

“Then the attack is launched, and 223 alternative exit payloads are generated with the technique described above, and exits are initiated for each one of them. All exits get a unique id and are added to the exit queue. Their age is already older than the challenge period since the burn transaction has been aggregated into a Plasma block, so the funds can be released,” Wagner explains.

To correct the issue, Polygon is demanding that the first byte of the encoded branch mask is always 0x00, and rejects all other encodings.

The vulnerability was reported on October 5, as part of the bug bounty program that Polygon launched on Immunefi. The report was found eligible for the highest payout available as part of the program, namely $2 million.

Related: Google Paid Over $29 Million in Bug Bounty Rewards in 10 Years

Related: U.S. Offers $10 Million Rewards for Information on Foreign Hackers

Related: Facebook Announces Payout Guidelines for Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.