A bug bounty reward worth $2 Million went to researcher Gerhard Wagner based on his discovery of a critical flaw located in Polygon’s Plasma Bridge. If successfully exploited, this Polygon vulnerability would have let a hacker perform repetitive withdrawal transactions by means of various exit IDs. The number of submissions could have raised to 224.
The Polygon Vulnerability: How Could It Have Been Abused
As SecurityWeek explains, the Polygon Plasma Bridge could be used for the deposit of a certain amount of money, then the whole sum can be withdrawn. The same transaction could have been performed not less than 223 times additionally, every withdrawal transaction bringing with it the full amount of money. More specifically, what that means is that a threat actor could have deposited $1 million and through this method ending having $224 million by exploiting the Polygon vulnerability.
The real threat could have been the fact that a cybercriminal could have emptied the Plasma Bridge’s Deposit Manager where approx. $850 million can be found.
Where The Issue Lied
Gerhard Wagner published a report on this topic where he detailed the issue with the Polygon vulnerability. It seemed that the problem was related to Polygon’s WithdrawManager, as