Researcher Earns $2 Million for Critical Vulnerability in Polygon
Security researcher Gerhard Wagner earned a $2 million bug bounty reward for a critical vulnerability in Polygon’s Plasma Bridge that could have allowed a malicious user to submit the same withdrawal transaction 224 times, with different exit IDs.
Specifically, a user could deposit a specific amount to the Polygon Plasma Bridge, withdraw the entire sum, and then submit the same withdrawal transaction an additional 223 times, each time receiving the full amount. Basically, one could deposit $1 million and withdraw $224 million.
With the DepositManager for the Plasma Bridge holding roughly $850 million in total, an attacker could have depleted the entire amount using multiple fraudulent transactions.
Polygon’s solution has been designed to provide a blockchain bridge – a method of connecting two distinct blockchains –, creating a two-way transaction channel that enables users to move assets from the root chain (Ethereum) to the child chain (Polygon).
A user looking to withdraw assets from Polygon initiates the transaction on the network and, after a specific set of checks are performed and the transaction approved, the user needs to wait for seven days before being able to withdraw the funds to their Ethereum account.
The withdrawal starts with burning tokens on the child chain. After the burn is confirmed, an initial checkpoint (30 minutes) follows and the exit payload is passed to the withdraw function (in Polygon Plasma). The user can proceed with the exit only if the burn transaction is successful and valid and if proof has been included in the root chain.
What Wagner discovered was that the manner in which Polygon’s WithdrawManager checks inclusion and uniqueness of the burn transaction was flawed.
The issue was found in the function that checks Merkle proof’s branchMask for the burn transaction receipt (a security guard included in the exit proof, which was supposed to be unique to the transaction) and existed because some values and differences were ignored during a decoding operation, thus allowing for the same proof to be replayed, because of differences in the decoding.
In the end, the white hat hacker discovered that the security error allowed for a total of 224 ways of decoding the same path, meaning that a malicious user could essentially create 224 exit IDs for the same withdraw transaction.
“Then the attack is launched, and 223 alternative exit payloads are generated with the technique described above, and exits are initiated for each one of them. All exits get a unique id and are added to the exit queue. Their age is already older than the challenge period since the burn transaction has been aggregated into a Plasma block, so the funds can be released,” Wagner explains.
To correct the issue, Polygon is demanding that the first byte of the encoded branch mask is always 0x00, and rejects all other encodings.
The vulnerability was reported on October 5, as part of the bug bounty program that Polygon launched on Immunefi. The report was found eligible for the highest payout available as part of the program, namely $2 million.