Security Experts:

Connect with us

Hi, what are you looking for?



Researcher Earns $2 Million for Critical Vulnerability in Polygon

Security researcher Gerhard Wagner earned a $2 million bug bounty reward for a critical vulnerability in Polygon’s Plasma Bridge that could have allowed a malicious user to submit the same withdrawal transaction 224 times, with different exit IDs.

Security researcher Gerhard Wagner earned a $2 million bug bounty reward for a critical vulnerability in Polygon’s Plasma Bridge that could have allowed a malicious user to submit the same withdrawal transaction 224 times, with different exit IDs.

Specifically, a user could deposit a specific amount to the Polygon Plasma Bridge, withdraw the entire sum, and then submit the same withdrawal transaction an additional 223 times, each time receiving the full amount. Basically, one could deposit $1 million and withdraw $224 million.

With the DepositManager for the Plasma Bridge holding roughly $850 million in total, an attacker could have depleted the entire amount using multiple fraudulent transactions.

Polygon’s solution has been designed to provide a blockchain bridge – a method of connecting two distinct blockchains –, creating a two-way transaction channel that enables users to move assets from the root chain (Ethereum) to the child chain (Polygon).

A user looking to withdraw assets from Polygon initiates the transaction on the network and, after a specific set of checks are performed and the transaction approved, the user needs to wait for seven days before being able to withdraw the funds to their Ethereum account.

The withdrawal starts with burning tokens on the child chain. After the burn is confirmed, an initial checkpoint (30 minutes) follows and the exit payload is passed to the withdraw function (in Polygon Plasma). The user can proceed with the exit only if the burn transaction is successful and valid and if proof has been included in the root chain.

What Wagner discovered was that the manner in which Polygon’s WithdrawManager checks inclusion and uniqueness of the burn transaction was flawed.

The issue was found in the function that checks Merkle proof’s branchMask for the burn transaction receipt (a security guard included in the exit proof, which was supposed to be unique to the transaction) and existed because some values and differences were ignored during a decoding operation, thus allowing for the same proof to be replayed, because of differences in the decoding.

In the end, the white hat hacker discovered that the security error allowed for a total of 224 ways of decoding the same path, meaning that a malicious user could essentially create 224 exit IDs for the same withdraw transaction.

“Then the attack is launched, and 223 alternative exit payloads are generated with the technique described above, and exits are initiated for each one of them. All exits get a unique id and are added to the exit queue. Their age is already older than the challenge period since the burn transaction has been aggregated into a Plasma block, so the funds can be released,” Wagner explains.

To correct the issue, Polygon is demanding that the first byte of the encoded branch mask is always 0x00, and rejects all other encodings.

The vulnerability was reported on October 5, as part of the bug bounty program that Polygon launched on Immunefi. The report was found eligible for the highest payout available as part of the program, namely $2 million.

Related: Google Paid Over $29 Million in Bug Bounty Rewards in 10 Years

Related: U.S. Offers $10 Million Rewards for Information on Foreign Hackers

Related: Facebook Announces Payout Guidelines for Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet