Polygon, a blockchain technology company, has paid out $2 million in bug bounty rewards for a ‘double spend’ vulnerability that could have wreaked havoc across its network.
The flaw, discovered by ethical hacker Gerhard Wagner, enabled an attacker to double the amount of cryptocurrency they intend to withdraw up to 233 times.
This could have allowed a malicious actor who has deposited just $4,500 to withdraw $1 million – and an attacker with $3.8 million could exploit the flaw to acquire up to $850 million.
Polygon is a protocol and a framework for building and connecting Ethereum-compatible blockchain networks.
The framework offers a “trustless, two-way transaction channel” between Polygon and Ethereum.
This ‘blockchain bridge’ uses a network called Plasma to authenticate and process withdrawals. It was in a contract on Plasma, the DepositManagerProxy, that the flaw was discovered.
The vulnerability, which is explained in technical detail in a blog post from Wagner, takes advantage of the fact that when a user deposits funds into the blockchain, they are “locked in” at the first stage (L1) and made available on the Plasma network.
An aggregator called the ‘child’ chain bundles the Plasma transactions into blocks and submits checkpoints to L1, which confirms that transactions have been successfully processed on the child chain and can also detect misbehavior.
When a user decides to withdraw their funds back to L1, the tokens need to be ‘burned’ on the Plasma chain.
The user presents the receipt of the burn transaction to the Plasma bridge as proof that the tokens were burned and, after a challenge period of seven days, the funds can be withdrawn back to the user on L1.
A flaw in the network could have allowed an attacker to burn a single transaction up to 233 times – potentially releasing $850 million in funds.
Wagner said he believes the vulnerability was present because the Plasma network was built based on third-party code.
“If I had to guess why the bug happened, I would say it might be due to using someone else’s code and not having a 100% understanding of what it does,” he wrote.
Wagner added: “It’s OK to use exiting building blocks when you write smart contracts, but you must understand all implications of doing so. At the end of the day, it’s your code; it does not matter if you or someone else wrote it.”
The researcher said that the issue was fixed by “rejecting any encoding that does not start with 0x00”.
He said: “It’s not very elegant, but it fixes the double-spending bug by hard coding the encoding meta character.”
Speaking to The Daily Swig, Wagner said that his experience working with fraud-proof systems made him “pretty confident his find was worth the maximum $2 million payout.
He said: “When I verified the exploit and did the impact analysis, I was pretty confident that the bug was worth the maximum bounty. The Polygon team quickly came to the same conclusion after their investigation and confirmed the bounty reward.
“I have experience with fraud-proof systems, specifically Plasma, so I understand how it works and what can go wrong. I have spent approximately four days looking at the code. In the end, I almost gave up as I thought the implementation was ok until I realized what happened to the proof path.
“I had the PoC exploit in minutes as it was easy to create once you knew what to do.”
Wagner added: “My recommendation for anyone in infosec thinking about going into crypto is, don’t be afraid to invest time into learning. It takes time to understand this new frontier. It will pay off eventually.
“The opportunities in crypto as a hacker are tremendous. I predict we will see high single-digit million dollar bounties announced from projects and white hats claiming them in a not too distant future.”