Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Bug bounty platform Immunefi says white hat hacker Gerhard Wagner submitted a critical vulnerability affecting the Polygon Plasma Bridge on October 5, 2021 that allows attackers to withdraw their burn transactions from the bridge multiple times for up to 223 times. About $850 million is at risk, and an attack with just $100,000 would result in a loss of $22.3 million. Polygon confirmed the bug and immediately began fixing the underlying issue, which was resolved within a week. Polygon agreed to pay up to $2 million for the submission. Attack method (per SlowMist): Double Spend Attack. Reported loss: $ 2,000,000.
- chain
- polygon
- protocol
- Polygon Plasma Bridge
- bug_class
- infrastructure
- date_occurred
- 2021-10-21
- loss_usd
- $2,000,000
- source_id
- sm:polygon-plasma-bridge::2021-10-21