White hat hacker Gerhard Wagner made $ 2 million after reporting a fix to a potentially costly “double spend” bug on the Polygon Network.
In an October 21 blog post from Immunefi, a security service that helps facilitate bug reporting is in decentralized financial projects, Polygon Network Plasma Bridge risked having a skilled computer hacker wipe out $ 850 million. According to the project, the vulnerability would have allowed attackers to exit their burn transaction from the bridge up to 223 times, quickly turning an amount such as $ 4,500 into $ 1 million in profit.
Immunefi reported that the double spend exploit worked by first depositing Ether (ETH) through the Plasma Bridge and starting the withdrawal process after the transaction was confirmed. A hacker could wait a week and send the same withdrawals again with the exception of “a modified first byte of the branch mask.” As long as the hacker could start with $ 3.8 million he could have exhausted all of the $ 850 funds from the bridge’s deposit manager at the time.
Polygon agreed to pay its maximum amount for a bug bounty report ($ 2 million) following Wagner’s initial report on October 5. According to the platform, the bug has already been implemented on the mainnet after the test, Wagner received the funds, claimed to be “the highest reward ever paid in history”, and no user funds were lost with the exploit.
Wagner speculated on his Medium page that the bug could be due to “using someone else’s code and not understanding 100% what they are doing.” He added that the fix was “not very fancy” but fixed the double-spend exploit.
Before this latest payment of $ 2 million, the biggest reward for a white hat hacker had fallen to programmer Alexander Schlindwein, who in September discovered a vulnerability in the Belt Finance protocol and received $ 1.05 million. However, the US State Department could break that record if a computer hacker is able to transmit information about terrorism suspects, extremists and state-sponsored hackers; the government said it would offer rewards of up to $ 10 million.
Keep reading: