Polygon Rewards Whitehat $75,000 For Saving Billions In User Funds

KEY POINTS

Polygon has fixed a "high severity" problem that would have allowed an attacker to steal the deposit management contract's funds
Niv Yehezkel, who identified and reported the vulnerability, received a $75,000 reward
He indicated that the flaw put billions of dollars at risk on Twitter

The Ethereum Proof-of-Stake sidechain, Polygon, has fixed a "consensus bypass" flaw that might have cost billions of dollars. The company has rewarded the person who alerted them of their system's vulnerability with $75,000, bug bounty platform Immunefi said.

Immunefi described the issue as a "high severity" vulnerability in the network's Proof-of-Stake mechanism, putting billions of dollars at risk.

The vulnerability, first identified by whitehat Niv Yehezkel on Jan. 15, would have allowed an attacker to bypass the network's consensus threshold and "drain all funds from the deposit manager, engage in unlimited withdrawals, DoS [Denial-of-Service] attack, and more," according to the Immunefi bug fix report published on Monday.

Yehezkel, who received a $75,000 paycheck for discovering the issue, stated on Twitter that the flaw could cost Polygon billions of dollars in fraudulent transactions.

Excited to share my research on the Polygon to Ethereum PoS bridge, in which I have found a consensus bypass vulnerability that puts billions of dollars at risk. Thank you Immunefi team and Polygon team for the rapid response, professional joint work and quick patching. https://t.co/AKT0HrbWOE
— niv (@invlpgtbl) February 21, 2022

If not detected earlier, an attacker could exploit the system's weak spot and withdraw all the tokens from the network's deposit manager.

"After this consensus bypass, the attacker can send malicious checkpoints that fake a withdrawal of tokens from Polygon that drains all tokens from the deposit manager, claiming all Heimdall fees stored and more," the report said.

According to Defi Llama statistics, Polygon has approximately $4.17 billion in total value locked up across its DeFi ecosystem. It is Ethereum's most popular sidechain, with a higher value than Layer 2 networks such as Arbitrum and Optimism.

It garnered $450 million in an investment round led by the renowned venture capital company Sequoia earlier this month.

Polygon has already experienced similar security breaches. It rectified a problem that might have led to an $850 million exploit in October, giving the whitehat who discovered it a $2 million bounty.

Due to yet another significant flaw in the network, a hacker stole $1.6 million in MATIC tokens in December. Polygon averted a $20 billion problem by moving quickly and solving the issue.