A security researcher discovered a software vulnerability that could have been exploited to steal as much as $200 million from three Ethereum-compatible parachains on Polkadot — Moonbeam, Astar Network and Acala.
The researcher, known as pwning.eth, found and reported the critical vulnerability in June in a software called Frontier that is used for "wrapping" native tokens on the three blockchain projects (or parachains) on the Polkadot network. The report was submitted on the crypto-focused bug-hunting platform Immunefi on June 27, but only recently disclosed.
"Pwning.eth found a bug that impacted the entire Polkadot ecosystem and would allow hackers to steal over $200 million across Moonbeam, Astar Network, and Acala," a representative from Immunefi told The Block. "They were all vulnerable to a bug that could have allowed malicious users to mint wrapped native tokens."
In this case, wrapping is the process of converting the native crypto assets of blockchains into tokens that can be more readily supported by apps. It is done with the use of a smart contract, which holds the native tokens in escrow and issues the wrapped tokens to the user.
The vulnerability on the three chains could have been abused to mint unlimited wrapped tokens, including wrapped astar (WASTR) on Astar, wrapped moonbeam (WGLMR) on Moonbeam, and wrapped moonriver (WMOVR) on Moonriver, a sister network of Moonbeam.
The estimated value of assets exposed to the vulnerability was about $200 million across the three parachains, Immunefi said. After the vulnerability was reported, the three parachain teams worked to fix it and released an emergency patch before any malicious actors could exploit it. No funds were lost.
Moonbeam and Astar, which have active bug-bounty programs with Immunefi, awarded $1 million to the ethical hacker through Immunefi. Parity, developer of the Frontier Library, decided to contribute $250,000 toward the $1 million reward, despite not having a bug bounty with Immunefi.
Pwning.eth is no stranger to finding critical bugs and being awarded large sums. In early 2022, the white-hat hacker was rewarded with a $6 million bounty after discovering a vulnerability in Aurora, an EVM compatible blockchain for NEAR Protocol, saving about 70,000 ETH worth $200 million at the time.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.