White hat hacker Gerhard Wagner earned $ 2 million after reporting a solution to a potentially costly “double spend” bug on the Polygon network.
21 blog post from Immunefi, a security company that helps with bug reporting in decentralized finance projects, is at risk of the Polygon Network’s plasma bridge being removed by a knowledgeable hacker for $ 850 million. According to the project, this vulnerability would allow attackers to ricochet their write transactions off the bridge up to 223 times, quickly turning an amount of around $ 4,500 into a profit of $ 1 million.
Immunefi reported that Double Spend Mining went live by first sending Ether (ETH) over the Plasma Bridge and initiating the withdrawal process once the transaction was confirmed. A hacker could then wait a week and resubmit the same withdrawals except for the “modified branch mask first byte”. Assuming hackers can start with $ 3.8 million, by that point they could potentially pull all of $ 850 in funds from the bridge’s custodian.
Polygon has agreed to pay the maximum amount for a reported bug bounty – $ 2 million – as originally reported by Wagner on October 5th. According to the platform, the bug was posted on the mainnet after the attempt. claims to be “the highest bounty ever paid in history” and no user funds were lost in the mining industry.
Wagner speculated on his medium side that the mistake could be due to “using someone else’s code and not understanding 100% what he is doing”. He added that the solution was “not very elegant,” but it fixed the double-spend exploit.
Related: White hat hackers paid DeFi’s largest reported bounty
Before this latest $ 2 million payout, the largest bounty for a white hat hacker went to programmer Alexander Schlindwein, who discovered a vulnerability in Belt Finance’s log in September and received $ 1.05 million. However, the U.S. State Department could topple that record if a hacker can reveal information about terrorist suspects, extremists, and state-sponsored hackers – the government says there is up to $ 10 million in bonuses.