Polygon (MATIC) double spend bug yields $2 million bounty for developer
Polygon, the Layer 2 solution on top of Ethereum, has recently paid out the highest ever bug bounty in history to a whitehat developer Gerhard Wagner for pointing out a double-spend bug in the network which could have resulted in huge losses if it had been exploited.
In a further sign of how even the best networks can continue to have vulnerabilities that lie undetected for weeks and months, it has been reported that Gerhard had noticed a critical vulnerability on October 5, 2021, on the Polygon Plasma Bridge. This could have put around $850 million at risk if it had been noticed and exploited by hackers but it is to the credit of Gerhard that he, along with Immunefi, chose to escalate it to the Polygon team. This is also a further validation on why companies need to have bug bounty programs as it encourages good developers and hackers to test out the security of the network and point out the vulnerabilities to the network providers for analysis and fixing and the developers themselves get rewarded by the network for the same, and in this case, the developer was rewarded handsomely.
Once the bug was informed to Polygon, it confirmed the bug within 30 minutes and it set about to fix the issue as soon as possible. As the funds at risk were huge, it was calculated that the bug bounty should be the maximum which is $2 million. The whitehat Gerhard received the bounty and the whole process, including the reporting, bounty payout, bug fix, and deployment into the main net was completed within a week. It is to the credit of all involved that things moved quickly before any damage was made.
Blockchain and crypto networks continue to be at risk from time to time due to such vulnerabilities but truth be told, with digitalization taking over the financial industry, this risk is likely to be there in all systems shortly. There cannot be a single, universal fix for this risk and the businesses and networks need to learn to live with it which is why it is important to have tight and closed-loop processes built with security companies as well, to ensure that such vulnerabilities are handled effectively in the long term thereby reducing the losses along the way.