White hat hacker Gerhard Wagner has earned $two million subsequently reporting a solution to a potentially plush "double-spend" problems on the Polygon network.

In an Oct. 21 web log post from Immunefi, a security service that helps to facilitate bug reports in decentralized finance projects, Polygon network's Plasma Bridge was at take a chance of having $850 million removed by a knowledgeable hacker. Co-ordinate to the project, the vulnerability would have allowed attackers to leave their burn transaction from the bridge upwardly to 223 times, chop-chop turning an amount like $4,500 into $one one thousand thousand profit.

Immunefi reported the double-spend exploit worked past showtime depositing Ether (ETH) through the Plasma Bridge and starting the withdrawal procedure after the transaction was confirmed. A hacker could so wait a week and resubmit the same withdrawals with the exception of "a modified first byte of the branch mask." Provided the hacker began with $3.8 million, they could take potentially depleted all $850 funds from the bridge'due south deposit manager at the fourth dimension.

Polygon agreed to pay its maximum corporeality for a issues bounty report — $two million — post-obit Wagner'south initial report on October. 5. Co-ordinate to the platform, the bug has already been deployed on the mainnet later on testing, Wagner has received the funds, claimed to exist "the highest compensation e'er paid out in history," and no user funds were lost with the exploit.

Wagner speculated on his Medium page that the issues might exist due to "using someone else'southward code and not having a 100% agreement of what it does." He added the solution was "not very elegant" but did set up the double-spend exploit.

Related: White chapeau hacker paid DeFi'due south largest reported bounty fee

Before this latest $ii million payout, the largest compensation for a white hat hacker had gone towards programmer Alexander Schlindwein, who in September discovered a vulnerability in Belt Finance'south protocol and was awarded $i.05 1000000. Even so, the U.S. State Department may topple that record if a hacker can pass on information on terrorist suspects, extremists and state-sponsored hackers — the government said it would be offer rewards of up to $ten million.