Ethereum scaling solution Polygon awarded $2 Million, the biggest bounty in the history of DeFi, to a white hat hacker. This is the reward of Gerhard Wagner for discovering a vulnerability in the Polygon Plasma Bridge on October 5. Based on projection, the total exposure of Polygon was a whopping $850,000 so he definitely deserved every cent of the bounty.
White hackers are the good guys of computer security also known as ethical hackers. Basically, they use their skills to spot system vulnerabilities then endorse them for fixing instead of exploiting them.
How the Polygon White Hacker Saved the Day
The Polygon Plasma bridge is a key aspect of the network because it supports interoperability between Polygon and Ethereum. Basically, this trustless transaction channel allows users to move tokens between the two chains.
The vulnerability allowed an attacker to exit his burn transaction from the bridge multiple times—up to 223 times. To illustrate the magnitude of this issue, having just $100,000 with which to launch an attack, would result in a loss of $22.3 million. Thus, a full string of attacks would lead to total damage of approximately $850 Million.
Polygon certainly dodged a bullet thanks to Wagner’s fine work.
After Wagner submitted his report, Polygon acted promptly. In just 30 minutes, the network began fixing the issue. Thankfully, the bug was promptly patched with zero damage and impact to users’ funds.
The Role of Bounty Programs
Polygon launched its bounty program on Immunefi in September as the team sought to eliminate potential security flaws. The company is the leading bug bounty and security services platform in the DeFi space. Currently, it is in charge of protecting $50 Billion in user funds.
Essentially, a bounty program also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting bugs and issues. Projects often initiate bug bounty programs to supplement internal code audits and penetration tests.
In the case of Polygon, Security researchers will be rewarded for their efforts based on Immunefi’s Vulnerability Severity Classification System. Basically, this is the platform’s way of ranking threats according to the severity of the issues. The lowest possible payout is $1000 while critical issues, like in Wagner’s case, warrant million-dollar rewards.
Jaynti Kanani, a co-founder of Polygon, is inviting other platforms to adopt their approach. He said, “We hope this bounty on Immunefi sets an example for other web 3.0 projects and attracts Giga brains from the white hat security research community to contribute to web 3.0 and make it more resilient from future security threats.”
Polygon’s foresight saved them from what could have been a catastrophic situation. Exchanges and platforms lose their shirt over vulnerabilities at this level. Two weeks ago, OpenSea fixed vulnerabilities in its platform that could’ve let hackers steal someone’s crypto after sending them a maliciously crafted NFT. Security firm Check Point Research found the issue after users started complaining on Twitter.