The problem might have been caused by “using someone else’s code and not fully understanding what it does,” according to the white hat hacker. After reporting a remedy to a potentially costly “double-spend” flaw on the Polygon network, white-hat hacker Gerhard Wagner has earned $2 million.
According to a blog post published on Oct. 21 by Immunefi, a security service that assists with bug reports in decentralized finance projects, the Polygon network’s Plasma Bridge was at risk of being hacked for $850 million by a skilled hacker. The weakness, according to the project, would have allowed attackers to exit their burn transaction from the bridge up to 223 times, swiftly turning a $4,500 profit into a $1 million profit.
The double-spend hack, according to Immunefi, worked by first depositing Ether (ETH) over the Plasma Bridge and then beginning the withdrawal procedure after the transaction was confirmed. A hacker may then wait a week and resubmit the same withdrawals, with “a changed initial byte of the branch mask” as the only difference.
If the hacker had access to $3.8 million, to begin with, they could have drained all $850 monies in the bridge’s deposit manager at the time. Following Wagner’s original complaint on Oct. 5, Polygon decided to pay the maximum reward for a bug bounty report – $2 million. The bug has already been placed on the mainnet after testing, Wagner has received the money, which is said to be “the greatest reward ever given out in history,” and no user funds have been lost as a result of the exploit, according to the platform.
On his Medium website, Wagner speculated that the error was caused by “using someone else’s code and not having a 100% knowledge of what it does.” He went on to say that while the method was “not very elegant,” it did fix the double-spend flaw.
Prior to this current $2 million reward, the greatest bounty for a white hat hacker had gone to programmer Alexander Schlindwein, who was rewarded $1.05 million in September for discovering a vulnerability in Belt Finance’s protocol. The US Department of State, on the other hand, has stated that if a hacker can pass on information on terrorist suspects, radicals, and state-sponsored hackers, the government will award up to $10 million in incentives.
Belt Finance claims to have given the greatest bounty in the history of decentralized finance (DeFi) to a white hat hacker who prevented a $10 million bug catastrophe using an automated market maker (AMM) protocol running on Binance Smart Chain (BSC).
If you find this article informative then do share it with your friends and family!