The Polygon project launched the bounty program in September, and it drew attention to the cybersecurity specialist Geghard Wagner. He noted that Polygon uses the Plasma security system to secure transactions between its networks and Ethereum, which, in his opinion, is difficult to reliably implement.
Wagner elaborated on how he discovered the vulnerability in the Plasma Bridge. The expert called the vulnerability a "double spending bug". Using an error in the code, an attacker could withdraw an amount 223 times the original value of the tokens. The contribution of every $ 200 thousand could bring a potential hacker $ 44.6 million.In case of exploitation of the vulnerability, the protocol losses could amount to $ 850 million.
The Polygon developers agreed to pay the maximum reward for finding a vulnerability of $ 2 million, which was the largest reward for finding bugs in the history of DeFi.
Also, the Polygon developers confirmed that the bug was present on the mainnet. Wagner suggested that the problem was "due to the use of third-party code without fully understanding it." He stressed that the solution of the developers turned out to be "not too sophisticated", but coped with its task.