Git-Mirrors/blockchains-security-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/blockchains-security-toolkit.git synced 2025-08-03 03:46:15 -04:00
Code Issues Projects Releases Packages Wiki Activity
blockchains-security-toolkit/vulnerabilities/top_immunefi_vulnerabilities/polygon3.md
bt3gl c20a0c35fd 🥔 add vulnerabilities
2022-10-10 10:17:13 -07:00

1.2 KiB
Raw Blame History

Polygon Double-Spend Bugfix Review



  • Polygon introduced two bridges: Plasma (more secure) and PoS bridge.
  • The main vulnerability lies in how Polygons WithdrawManager verifies the inclusion and uniqueness of the burn transaction in previous blocks.

Screen Shot 2022-06-20 at 12 06 30 AM

PoC

  1. Deposit a large amount of ETH/tokens to Polygon through the Plasma Bridge.
  2. After confirmation of the funds being available on the Polygon, start the Withdrawal process.
  3. Wait for seven days for an exit to be valid.
  4. Resubmit the exit payload but with a modified first byte of the branch mask.
  5. The same valid transaction can be resubmitted up to 223 times with different values for the first byte of the HP-encoded path.
  6. Profit.

Fix

  • The first byte of the encoded branch mask is supposed to always be 0x00.
  • The fix is to check if the first byte of the encoded branch mask is 0x00 and not to disregard it as an incorrect mask.