Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Earns $2 Million for Critical Vulnerability in Polygon

Security researcher Gerhard Wagner earned a $2 million bug bounty reward for a critical vulnerability in Polygon’s Plasma Bridge that could have allowed a malicious user to submit the same withdrawal transaction 224 times, with different exit IDs.

Security researcher Gerhard Wagner earned a $2 million bug bounty reward for a critical vulnerability in Polygon’s Plasma Bridge that could have allowed a malicious user to submit the same withdrawal transaction 224 times, with different exit IDs.

Specifically, a user could deposit a specific amount to the Polygon Plasma Bridge, withdraw the entire sum, and then submit the same withdrawal transaction an additional 223 times, each time receiving the full amount. Basically, one could deposit $1 million and withdraw $224 million.

With the DepositManager for the Plasma Bridge holding roughly $850 million in total, an attacker could have depleted the entire amount using multiple fraudulent transactions.

Polygon’s solution has been designed to provide a blockchain bridge – a method of connecting two distinct blockchains –, creating a two-way transaction channel that enables users to move assets from the root chain (Ethereum) to the child chain (Polygon).

A user looking to withdraw assets from Polygon initiates the transaction on the network and, after a specific set of checks are performed and the transaction approved, the user needs to wait for seven days before being able to withdraw the funds to their Ethereum account.

The withdrawal starts with burning tokens on the child chain. After the burn is confirmed, an initial checkpoint (30 minutes) follows and the exit payload is passed to the withdraw function (in Polygon Plasma). The user can proceed with the exit only if the burn transaction is successful and valid and if proof has been included in the root chain.

What Wagner discovered was that the manner in which Polygon’s WithdrawManager checks inclusion and uniqueness of the burn transaction was flawed.

The issue was found in the function that checks Merkle proof’s branchMask for the burn transaction receipt (a security guard included in the exit proof, which was supposed to be unique to the transaction) and existed because some values and differences were ignored during a decoding operation, thus allowing for the same proof to be replayed, because of differences in the decoding.

Advertisement. Scroll to continue reading.

In the end, the white hat hacker discovered that the security error allowed for a total of 224 ways of decoding the same path, meaning that a malicious user could essentially create 224 exit IDs for the same withdraw transaction.

“Then the attack is launched, and 223 alternative exit payloads are generated with the technique described above, and exits are initiated for each one of them. All exits get a unique id and are added to the exit queue. Their age is already older than the challenge period since the burn transaction has been aggregated into a Plasma block, so the funds can be released,” Wagner explains.

To correct the issue, Polygon is demanding that the first byte of the encoded branch mask is always 0x00, and rejects all other encodings.

The vulnerability was reported on October 5, as part of the bug bounty program that Polygon launched on Immunefi. The report was found eligible for the highest payout available as part of the program, namely $2 million.

Related: Google Paid Over $29 Million in Bug Bounty Rewards in 10 Years

Related: U.S. Offers $10 Million Rewards for Information on Foreign Hackers

Related: Facebook Announces Payout Guidelines for Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.