link.png

ID:

polygon-1114

Date:

Status:

Incident Count:

January 15, 2022

Near-Miss

2

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

Certik

Loss Amount:

-

info.png

Recovered:

-

Rewards:

75,000

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum

Protocol

Layer 2

Near-Miss

Extended Method:

Logic error in migrating validators from one to another

info.png

Days in Operation:

841

(2.30 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Polygon is a decentralised Ethereum scaling platform that enables developers to build scalable user-friendly dApps with low transaction fees without ever sacrificing on security.

Whitehat Niv Yehezkel submitted a report to Polygon along with a local mainnet fork proof of concept (PoC) to demonstrate a consensus bypass vulnerability. Niv discovered a vulnerability in the proof of stake (PoS) system in Polygon’s smart contract on Ethereum, which would have allowed an attacker to decrease the total staking power, allowing a consensus (⅔ threshold) bypass that could potentially have allowed an attacker to drain all funds from the deposit manager, engage in unlimited withdrawals, DoS and more.

The bug was given a severity level of high due to the complexity of the exploit, and the whitehat was rewarded with a bounty of $75,000.

For the attacker to have exploited this vulnerability, specific market conditions would have had to have been met. For example, a validator spot had to have been open, and the capital requirements were high (less capital means longer the attack takes). The amount to pay the miners directly to stay in the validator spot using flashbots was also high. Additionally, the checkpoint time for the Polygon network happens every 30–45 minutes, and the attacker would have needed to maintain the validator spot for a long time, thus increasing the costs of the attack due to time requirements.

The vulnerability arises when delegators migrate their delegations from one validator to another. The contract calls updateTimeline(-amount), which ends up subtracting the total validator power from the stakeManager contract, and once that validator unstakes, the counter of total staking power will be updated again by decreasing the validator amount + delegated amount again from the contract.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.