Polygon just addressed a “high severity” vulnerability in the network’s Proof-of-Stake mechanism, putting billions of dollars at risk, according to bug bounty site Immunefi.
The deficiency put billions of dollars at risk according to Niv Yehezke who was paid $75000 as whitehat for identifying the vulnerability. Meanwhile, Immunefi stated that at the time of the report, the vulnerability was unexploitable.
Polygon, an Ethereum Proof-of-Stake sidechain, has fixed a “consensus bypass” flaw that might have cost billions of dollars.
The vulnerability, first reported by whitehat Niv Yehezkel on Jan. 15, would have allowed an attacker to bypass the network’s consensus threshold and “drain all funds from the deposit manager, engage in unlimited withdrawals, DoS [Denial-of-Service attack], and more,” according to an Immunifi bug fix report published Monday.
On Twitter today, Yehezkel, who won a $75,000 prize from Polygon for discovering the issue, said the flaw put billions of dollars at risk.
According to Immunifi’s study, the flaw affects Polygon’s Ethereum smart contract’s Proof-of-Stake system. To exploit the vulnerability, an attacker would have had to meet three very particular circumstances. Meeting the criterion, on the other hand, would have allowed them to drain the network’s deposit manager of all tokens.
“After this consensus bypass, the attacker can send malicious checkpoints that fake a withdrawal of tokens from Polygon that basically drains all tokens from the deposit manager, claiming all heimdall fees stored and more,” the report said.
Immunefi Chief Technology Officer Duncan Townsend told Crypto Briefing that “no money was at risk because the bug was not exploitable at the time of the report,” referencing the potential severity of the exploit. He also stated that, considering the seriousness of the vulnerability, he thought the $75,000 incentive was “generous.”
Polygon has approximately $4.17 billion in total value locked across its DeFi ecosystem, according to data from Defi Llama. It’s Ethereum’s most popular sidechain, outperforming Layer 2 networks like Arbitrum and Optimism in terms of value. It raised $450 million earlier this month in an investment round led by Sequoia Capital, a well-known venture capital firm.
Polygon has already dealt with a number of similar security breaches. It paid a $2 million bounty to the whitehat who discovered a defect that might have led to a $850 million exploit in October. Another serious flaw in the network resulted in a hacker stealing $1.6 million in MATIC tokens in December. By responding immediately to the problem, Polygon was able to avoid a $20 billion crisis.