- A security researcher discovered a potential vulnerability that could have resulted in the theft of up to $200 million from three Ethereum-compatible parachains on the Polkadot network: Moonbeam, Astar Network and Acala.
- The vulnerability was found in June in Frontier, a software used for “wrapping” native tokens on the three blockchain projects on the Polkadot network.
- The teams behind the three parachains worked to fix the issue and released an emergency patch before any malicious actors could exploit it, and no funds were lost.
- Moonbeam and Astar awarded pwning.eth a $1 million bounty through Immunefi, and Parity contributed $250,000 towards the reward.
- Pwning.eth has previously been rewarded for finding critical bugs, including a $6 million bounty in early 2022 for discovering a vulnerability in Aurora, an EVM (Ethereum Virtual Machine) compatible blockchain.
A software vulnerability that could have potentially resulted in the theft of up to $200 million from three Ethereum-compatible parachains on the Polkadot network (Moonbeam, Astar Network and Acala) was discovered by a security researcher known as pwning.eth according to The Block. The vulnerability was found in June in Frontier, a software used for “wrapping” native tokens on the three blockchain projects, also known as parachains, on the Polkadot network. Pwning.eth reported the critical vulnerability on Immunefi, a crypto-focused bug-hunting platform, on June 27, but the report was only recently made public.
According to a representative from Immunefi speaking to The Block, pwning.eth discovered a bug that could have had a significant impact on the entire Polkadot ecosystem and potentially allowed hackers to steal over $200 million across Moonbeam, Astar Network, and Acala. The representative added that all three were vulnerable to a bug that could have permitted malicious users to mint wrapped native tokens.
In crypto, “wrapping” refers to the process of converting the native crypto assets of a blockchain into tokens that can be more readily supported by apps. This is typically done through the use of a smart contract, which holds the native tokens in escrow and issues the wrapped tokens to the user. Wrapped tokens are essentially a representation of the native tokens, but they can be more easily traded and used on other platforms that may not natively support the original asset. Wrapping tokens can be useful for increasing the liquidity and usability of certain assets, but it also introduces additional risks, such as the possibility of smart contract vulnerabilities.
Immunefi estimated that the value of assets exposed to the vulnerability was around $200 million across the three parachains. The teams behind the three parachains worked to fix the issue and released an emergency patch before any malicious actors could exploit it, and as a result, no funds were lost.
Moonbeam and Astar, which have active bug-bounty programs with Immunefi, awarded pwning.eth a $1 million bounty through the platform. In addition, Parity, the developer of the Frontier Library, decided to contribute $250,000 towards the $1 million reward, despite not having a bug bounty with Immunefi. Pwning.eth has previously been rewarded for finding critical bugs in the past, such as in early 2022 when the white-hat hacker received a $6 million bounty for discovering a vulnerability in Aurora, an EVM (Ethereum Virtual Machine) compatible blockchain for NEAR Protocol, which saved approximately 70,000 ETH worth $210 million at the time.