Double spending bug in Polygon’s Plasma bridge

Polygon’s Plasma overview

Polygon’s network overview

The bug

  • block receipt root: receipts root hash of the block
  • receipt: a receipt containing all essential information of a transaction such as sender, receiver, amount, and what token is sent
  • receipt proof: Merkle proof of the receipt
  • branch mask: the traversal path of where the receipt hash is located within the receipt proof
verifyInclusion function in WithdrawManager contract
verify function in MerklePatriciaProof library
_getNibbleArray function in MerklePatriciaProof library
All encoded branch mask variants decode to the same raw branch mask
  • deposits 200,000 USD worth of tokens to the DepositManager contract
  • burns the tokens with a burn transaction on Polygon network
  • starts the exit
  • waits the seven days challenge period
  • processes the exit and gets the initial funds back

The fix





Retired DeFi Flashboy / Former C-Dili auditor & MythX tool builder

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Health Care And The Need For Cyber Security

Threat Hunting Series: The Basics

CyVIT CTF 2021 Writeup

AudioCrypto SunshineCTF 2021 Writeup

How i could have downloaded data of 11000 people ?

6 Questions You Must Ask for a Successful Incident Response

Introducing the Vault :

{UPDATE} General Knowledge - Quiz Game Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gerhard Wagner

Gerhard Wagner

Retired DeFi Flashboy / Former C-Dili auditor & MythX tool builder

More from Medium

Introducing BlockVision — An All-In-One Cloud Services Platform for Web 3.0

The attack on Safle and how the problem was fixed

Axelar is a universal interoperability platform that connects all blockchains through a…

Top DeFi Hacks of 2021