Key Takeaways
Polygon has patched a “high severity” bug that may have allowed an attacker to empty all of the funds from the deposit supervisor contract.
Niv Yehezkel, who found and reported the bug, was rewarded $75,000.
He acknowledged on Twitter that the vulnerability put billions of {dollars} in danger. Immunefi, in the meantime, mentioned that the vulnerability was unexploitable on the time of the report.
Share this text
The bug bounty platform Immunefi has revealed that Polygon just lately patched a “high severity” vulnerability in the community’s Proof-of-Stake system that put billions of {dollars} in danger.
Polygon Dodges Critical Hack
Polygon, a Proof-of-Stake sidechain on Ethereum, has patched a “consensus bypass” bug that might have resulted in billions of {dollars} in losses.
According to an Immunifi bug repair report printed Monday, the vulnerability, initially reported by white hat Niv Yehezkel on Jan. 15, would’ve allowed an attacker to bypass the community’s consensus threshold and “drain all funds from the deposit manager, engage in unlimited withdrawals, DoS [Denial-of-Service attack] and more.”
Yehezkel, who acquired a $75,000 bounty from Polygon for reporting the bug, mentioned on Twitter immediately that the vulnerability put billions of {dollars} in danger.
Excited to share my analysis on the Polygon to Ethereum PoS bridge, in which I’ve discovered a consensus bypass vulnerability that places billions of {dollars} in danger. Thank you Immunefi staff and Polygon staff for the speedy response, skilled joint work and fast patching. https://t.co/AKT0HrbWOE
— niv (@invlpgtbl) February 21, 2022
According to Immunifi’s report, the vulnerability affected the Proof-of-Stake system in Polygon’s good contract on Ethereum. Notably, an attacker would have wanted to fulfill three very particular situations to take advantage of the vulnerability. However, assembly the standards would have allowed them to empty all tokens from the community’s deposit supervisor.
“After this consensus bypass, the attacker can send malicious checkpoints that fake a withdrawal of tokens from Polygon that basically drains all tokens from the deposit manager, claiming all heimdall fees stored and more,” the report mentioned.
Commenting on the potential severity of the exploit, Immunefi Chief Technology Officer Duncan Townsend informed Crypto Briefing that “no money was at risk because the bug was not exploitable at the time of the report.” He additionally mentioned that he thought the $75,000 reward was “generous” given the severity of the vulnerability.
According to information from Defi Llama, Polygon holds over $4.17 billion in complete worth locked throughout its DeFi ecosystem. It’s Ethereum’s most used sidechain, holding extra worth than Layer 2 networks like Arbitrum and Optimism. Earlier this month, it raised $450 million in an funding spherical led by the famend enterprise capital agency Sequoia.
Polygon has handled a number of related safety incidents in the previous. In October, it patched a bug that might have led to an $850 million exploit, paying a $2 million bounty to the white hat that disclosed it. In December, a hacker stole $1.6 million in MATIC tokens as a consequence of one other essential bug in the community. Polygon averted a $20 billion disaster by reacting shortly to the incident.
The Polygon staff couldn’t be reached for remark at press time. Polygon additionally opted towards sharing particulars of the bug repair on its communications channels.
Disclosure: At the time of writing, the creator of this function owned ETH and several other different cryptocurrencies.
Share this text
The data on or accessed by means of this web site is obtained from unbiased sources we consider to be correct and dependable, however Decentral Media, Inc. makes no illustration or guarantee as to the timeliness, completeness, or accuracy of any data on or accessed by means of this web site. Decentral Media, Inc. shouldn’t be an funding advisor. We don’t give personalised funding recommendation or different monetary recommendation. The data on this web site is topic to vary with out discover. Some or the entire data on this web site might grow to be outdated, or it could be or grow to be incomplete or inaccurate. We might, however should not obligated to, replace any outdated, incomplete, or inaccurate data.
You ought to by no means make an funding resolution on an ICO, IEO, or different funding primarily based on the data on this web site, and you must by no means interpret or in any other case depend on any of the data on this web site as funding recommendation. We strongly suggest that you simply seek the advice of a licensed funding advisor or different certified monetary skilled in case you are in search of funding recommendation on an ICO, IEO, or different funding. We don’t settle for compensation in any kind for analyzing or reporting on any ICO, IEO, cryptocurrency, forex, tokenized gross sales, securities, or commodities.
See full phrases and situations.