Key Takeaways
- Polygon has patched a “high severity” bug that would have allowed an attacker to drain all the funds from the deposit manager contract.
- Niv Yehezkel, who discovered and reported the bug, was rewarded $75,000.
- He stated on Twitter that the vulnerability put billions of dollars at risk. Immunefi, meanwhile, said that the vulnerability was unexploitable at the time of the report.
Share this article
The bug bounty platform Immunefi has revealed that Polygon recently patched a “high severity” vulnerability in the network’s Proof-of-Stake system that put billions of dollars at risk.
Polygon Dodges Critical Hack
Polygon, a Proof-of-Stake sidechain on Ethereum, has patched a “consensus bypass” bug that could have resulted in billions of dollars in losses.
According to an Immunifi bug fix report published Monday, the vulnerability, initially reported by white hat Niv Yehezkel on Jan. 15, would’ve allowed an attacker to bypass the network’s consensus threshold and “drain all funds from the deposit manager, engage in unlimited withdrawals, DoS [Denial-of-Service attack] and more.”
Yehezkel, who received a $75,000 bounty from Polygon for reporting the bug, said on Twitter today that the vulnerability put billions of dollars at risk.
Excited to share my research on the Polygon to Ethereum PoS bridge, in which I have found a consensus bypass vulnerability that puts billions of dollars at risk. Thank you Immunefi team and Polygon team for the rapid response, professional joint work and quick patching. https://t.co/AKT0HrbWOE
— niv (@invlpgtbl) February 21, 2022
According to Immunifi’s report, the vulnerability affected the Proof-of-Stake system in Polygon’s smart contract on Ethereum. Notably, an attacker would have needed to meet three very specific conditions to exploit the vulnerability. However, meeting the criteria would have allowed them to drain all tokens from the network’s deposit manager.
“After this consensus bypass, the attacker can send malicious checkpoints that fake a withdrawal of tokens from Polygon that basically drains all tokens from the deposit manager, claiming all heimdall fees stored and more,” the report said.
Commenting on the potential severity of the exploit, Immunefi Chief Technology Officer Duncan Townsend told Crypto Briefing that “no money was at risk because the bug was not exploitable at the time of the report.” He also said that he thought the $75,000 reward was “generous”…
Click Here to Read the Full Original Article at Technology Updates – Crypto Briefing…
