A researcher at Immunefi prevents the theft of $200 million from three Polkadot parachains
A security researcher at Immunefi discovered a major flaw in three Polkadot parachains.
A security researcher uncovered a software flaw that could have been used to steal up to $200 million from Moonbeam, Astar Network, and Acala, three Ethereum-compatible parachains on Polkadot.
In June, the researcher known as pwning.eth discovered and disclosed a significant flaw in the Frontier software used to “wrap” native coins on the three blockchain projects (or parachains) on the Polkadot network. The report was filed on the crypto-centric bug-hunting portal Immunefi on June 27, although it was not exposed until recently.
The Block was informed by an Immunefi representative that “Pwning.eth discovered a problem that affected the whole Polkadot ecosystem and would let hackers to steal over $200 million across Moonbeam, Astar Network, and Acala.” All of them were susceptible to a vulnerability that may have enabled malicious users to generate wrapped native tokens.
In this instance, wrapping is the process of transforming the native crypto assets of blockchains into tokens that can be supported more easily by applications. Utilizing a smart contract, the native tokens are held in escrow and the wrapped tokens are issued to the user.
The vulnerability of the three chains might have been exploited to manufacture an endless number of wrapped tokens, such as wrapped astar (WASTR) on Astar, wrapped moonbeam (WGLMR) on Moonbeam, and wrapped moonriver (WMOVR) on Moonriver, a sister network of Moonbeam.
The estimated value of assets vulnerable to the vulnerability across all three parachains was around $200 million, according to Immunefi. Before any bad actors could exploit the vulnerability, the three parachain teams worked to solve it and delivered an emergency patch once it was disclosed. No funds were lost.
Moonbeam and Astar, both of which have active bug bounty programs with Immunefi, rewarded the ethical hacker $1 million through Immunefi. Despite not having a bug bounty with Immunefi, Parity, the creator of the Frontier Library, chose to give $250,000 to the $1 million award.
Pwning.eth is no stranger to discovering important vulnerabilities and receiving large rewards. Early in 2022, a white-hat hacker was awarded a $6 million bounty for identifying a flaw in Aurora, an EVM-compatible blockchain for the NEAR Protocol, and saved around 70,000 ETH worth $200 million.