Polygon is a decentralised Ethereum scaling platform that enables developers to build scalable user-friendly dApps with low transaction fees without ever sacrificing on security.

Whitehat Niv Yehezkel submitted a report to Polygon along with a local mainnet fork proof of concept (PoC) to demonstrate a consensus bypass vulnerability. Niv discovered a vulnerability in the proof of stake (PoS) system in Polygon’s smart contract on Ethereum, which would have allowed an attacker to decrease the total staking power, allowing a consensus (⅔ threshold) bypass that could potentially have allowed an attacker to drain all funds from the deposit manager, engage in unlimited withdrawals, DoS and more.

The bug was given a severity level of high due to the complexity of the exploit, and the whitehat was rewarded with a bounty of $75,000.

For the attacker to have exploited this vulnerability, specific market conditions would have had to have been met. For example, a validator spot had to have been open, and the capital requirements were high (less capital means longer the attack takes). The amount to pay the miners directly to stay in the validator spot using flashbots was also high. Additionally, the checkpoint time for the Polygon network happens every 30–45 minutes, and the attacker would have needed to maintain the validator spot for a long time, thus increasing the costs of the attack due to time requirements.

The vulnerability arises when delegators migrate their delegations from one validator to another. The contract calls updateTimeline(-amount), which ends up subtracting the total validator power from the stakeManager contract, and once that validator unstakes, the counter of total staking power will be updated again by decreasing the validator amount + delegated amount again from the contract.