Immunefi researcher saves $200 million from potential theft on three Polkadot parachains

Quick Take

  • An Immunefi security researcher found a critical vulnerability on three Polkadot parachains.
  • The researcher, known as pwning.eth, was awarded a $1 million bounty.

A security researcher discovered a software vulnerability that could have been exploited to steal as much as $200 million from three Ethereum-compatible parachains on Polkadot — Moonbeam, Astar Network and Acala.

The researcher, known as pwning.eth, found and reported the critical vulnerability in June in a software called Frontier that is used for "wrapping" native tokens on the three blockchain projects (or parachains) on the Polkadot network. The report was submitted on the crypto-focused bug-hunting platform Immunefi on June 27, but only recently disclosed.

"Pwning.eth found a bug that impacted the entire Polkadot ecosystem and would allow hackers to steal over $200 million across Moonbeam, Astar Network, and Acala," a representative from Immunefi told The Block. "They were all vulnerable to a bug that could have allowed malicious users to mint wrapped native tokens." 

In this case, wrapping is the process of converting the native crypto assets of blockchains into tokens that can be more readily supported by apps. It is done with the use of a smart contract, which holds the native tokens in escrow and issues the wrapped tokens to the user.

The vulnerability on the three chains could have been abused to mint unlimited wrapped tokens, including wrapped astar (WASTR) on Astar, wrapped moonbeam (WGLMR) on Moonbeam, and wrapped moonriver (WMOVR) on Moonriver, a sister network of Moonbeam.


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

The estimated value of assets exposed to the vulnerability was about $200 million across the three parachains, Immunefi said. After the vulnerability was reported, the three parachain teams worked to fix it and released an emergency patch before any malicious actors could exploit it. No funds were lost.  

Moonbeam and Astar, which have active bug-bounty programs with Immunefi, awarded $1 million to the ethical hacker through Immunefi. Parity, developer of the Frontier Library, decided to contribute $250,000 toward the $1 million reward, despite not having a bug bounty with Immunefi.

Pwning.eth is no stranger to finding critical bugs and being awarded large sums. In early 2022, the white-hat hacker was rewarded with a $6 million bounty after discovering a vulnerability in Aurora, an EVM compatible blockchain for NEAR Protocol, saving about 70,000 ETH worth $200 million at the time.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]


To contact the editor of this story:
Mike Millard at
[email protected]