Cointime

Cointime

Download App
iOS & Android

Lost in Translation: Polygon Bridge’s Unclaimed Millions

Validated Media

At ZenGo – the non-custodial MPC wallet with no private key – we are preparing to add support for  Polygon’s POS chain (AKA Polygon or MATIC). This will allow ZenGo users to enjoy Web3 DeFi and NFTs with lower gas fees, and offer all Polygon users a wallet with 10x more security than traditional wallets currently supporting Polygon. One of the key elements of Polygon’s success is its bridging technology, allowing users to virtually move assets (such as NFTs and tokens) from the Ethereum blockchain to the Polygon blockchain and vice versa.

Coming Soon! TM 😉

As part of our ongoing research on blockchains and their security features, we investigated the inner workings of Polygon’s bridge. There, we discovered millions of USD of forgotten bridged tokens that have not been claimed by their owners. As a result of this research we were able to help a whale user reclaim $2M of funds, together with the Polygon team.

In this blog we dive into the inner workings of the Polygon bridge, successfully verify its financial soundness by leveraging some newly-developed Dune Analytics capabilities, discuss the phenomena of forgotten funds, and show how they can be claimed by their rightful owners.

How the Polygon Bridge Works

To bridge assets between Ethereum and Polygon, users must rely on a dapp, like the official Polygon bridge.

The Polygon Bridge Dapp (https://wallet.polygon.technology/bridge)

But what happens behind the scenes of this dapp, how does it work?

When users want to transfer an asset from Ethereum to Polygon (AKA “deposit”), say 100 USDT, they send it to a contract deployed by Polygon on the Ethereum blockchain and this contract emits an event. Polygon validator nodes are monitoring for such events and when they find them, they mint the appropriate amount/asset (100 USDT) on the Polygon blockchain and send it to the user’s address. The user’s Polygon address remains the same address as on Ethereum.

Therefore as users, in order to bridge an Ethereum based token to Polygon, we send just a single transaction on Ethereum and after a while the tokens will appear in our wallet on the Polygon side.

Once that token is on the Polygon side, users can engage in whatever form of DeFi they choose and enjoy Polygon’s lower fees and faster completion times. The value of the bridged USDT on the Polygon side remains the same as it was on the Ethereum side, as it’s 1:1 backed by original Ethereum USDT, held by the Polygon’s Ethereum contract.

Let’s assume that after a while, our users profit and now want to bridge their newly earned 200 USDT back to Ethereum (AKA “withdraw”). The process is similar in nature, but a bit different in details.

First, the user has to “burn” (send to the 0 address) their USDT Polygon tokens. As before, Polygon validators are monitoring for such burn events on the Polygon network, accumulate, and aggregate a few of such burns over a period of time and update the Polygon Ethereum side with this aggregated information.

But unlike Polygon deposits, when a user withdraws their assets back to the Ethereum side, they need to send an additional Ethereum transaction to claim their USDT from the Polygon Ethereum contract. The claim transaction contains a cryptographic proof that the withdrawer actually burned their tokens on the Polygon side. Once the contract gets the proof, it validates it and sends the tokens to the withdrawer address on Ethereum. 

Summing up, the deposit side (Ethereum → Polygon) is a one click process that takes a few minutes. However, the withdrawal side (Polygon → Ethereum) is a two step process, and may take a few hours between the first step and the availability of the final step.

Verifying the Financial Soundness of Polygon Bridge

The financial soundness of the bridge stems from the fact that for each asset minted on the Polygon side of the bridge, Polygon’s contract on the Ethereum side holds the appropriate amount – given recent news with custodial exchanges and phantom assets, you might consider this inquiry as an attempt to confirm a blockchain’s “Proof of reserves”

Luckily, unlike with centralized exchanges, in DeFi all information is available on the blockchain and we can easily and directly verify it without trusting an obscure proof of reserve document.

Using Etherscan we can see that the Polygon contract holds (as of November 13th, 2022) more than a $7 billion worth of ERC20 tokens alone (without taking into account ETH and NFTs).

When we compared the numbers across the bridge, we were happy to find out that the Ethereum side always had more tokens than the Polygon side, meaning that all of the tokens that were bridged to Polygon are indeed properly backed by Ethereum tokens.

However, we noticed a big surplus of about 1% extra token on the Ethereum side, which required an explanation.

For example: On November 13th, USDT on the Polygon side had 675M units (see below) while the Ethereum side had 683M units (see above).

Polygon bridge ERC20 holdings greater than $7B, on November 13th, 2022 (Source: Etherscan)

We verified that the same phenomena of 1% differences repeat on other major assets such as USDC, ETH, DAI.

Difference in main asset balances across the bridge (as of November 25, 2022)

While 1% may not sound like much, when dealing with $7B sums it can be material.

Forgotten Funds Analysis

To spot the missing funds, we tried to match burned transactions on the Polygon side with their counterpart claim transactions on the Ethereum side. To do so, we took advantage of a new query engine recently developed by Dune Analytics that allows cross-chain queries.

Unclaimed USDT Dune Analytics query (see https://dune.com/queries/1536897)

Using this query, we were able to verify that indeed there were more withdraw calls on the Polygon side than the expected counterpart claim calls on the Ethereum side. As the screenshot above shows, there were about 3000 withdraw calls that are unmatched to a claim just for USDT.

We have since developed and are happy to share a generic Dune Analytics query that supports any bridged ERC20 pair. 

Our generic Dune Analytics query that supports any Polygon bridged ERC20 pair

Holidays came early: Saving $2M for user 007

Looking deeper into individual cases we found many interesting examples. For example, this mysterious user (appropriately abbreviated to 0x007) made two withdraws of both Wrapped ETH and Wrapped BTC on Polygon, each of them worth more than $1M over half a year ago but still have not claimed it on the Ethereum side.

Burning on Polygon (sending to the “0” address) but never claiming on the Ethereum side

We can see that this user was still active on Ethereum a month later, so we can rule out key loss as the reason for not claiming the funds.

To make sure that indeed these funds can be claimed by the user, we simulated the claiming transaction on a simulation platform that can ignore we are not user 0x007, providing it with the appropriate burn proof and were able to claim the $1M lost ETH, meaning the original user can do it too.

Although it’s hard to imagine how someone can just “forget” about millions of USD, we assume that it might be related to the fact that additional transactions are required and that the funds are not claimable immediately, therefore creating room for such mistakes.

When we reported our findings to the Polygon team on November 23rd, 2022, they sent the relevant claiming transactions to the user, releasing $2M from the Polygon bridge to that user’s account. It’s worth noting that any altruistic user willing to pay the gas price, not just Polygon, could claim the unclaimed funds and move them to the original withdrawing account.

007’s account reunited with their $2M unclaimed funds on November 23rd (Source: Debank )

We could only imagine that it was a very nice surprise for 007, waking up and finding an extra $2M in their Ethereum account!

Summing up

The Polygon blockchain and its bridging capabilities can be very useful to users. Bridging from Ethereum is quite straightforward, however bridging back might be more cumbersome to users, currently resulting in potential losses currently valued in millions of USD.

Luckily, nothing is permanently lost! If you have such unclaimed bridge funds, feel free to reach out to us and we will try to help you get your money back!

In the meantime…

  • Follow ZenGo on Twitter for latest updates: @ZenGo
  • Learn more about ZenGo X, our open-source MPC library, and github here.
Polygon
Comments

All Comments

Recommended for you

  • Cointime May 4th News Express

    1. Hong Kong Bitcoin Spot ETF has held 4,218 BTC since its listing three days ago

  • Blockchain Asset Management announces launch of a dedicated blockchain fund for accredited investors

    Blockchain Asset Management, a cryptocurrency fund with a scale of $100 million, announced the launch of an exclusive blockchain fund for qualified investors. The specific amount of funds raised by the fund has not been disclosed yet, but it is said to have reached "eight figures", which means it is in the tens of millions of dollars. In addition, the investment threshold for the new fund is $100,000, and all investors are required to meet the approved standards (annual income exceeding $200,000, net assets exceeding $1 million).

  • Renault's BWT Alpine F1 Team announces partnership with ApeCoinDAO

    The BWT Alpine F1 team under Renault announced a partnership with ApeCoinDAO on X platform, which will introduce APE into the Alpine F1 ecosystem and collaborate with global token holders to launch peripheral products and digital assets inspired by the first ApeCoin. It is reported that according to the cooperation between the two parties, in the future, BAYC NFTs may be able to wear equipment and clothing with the Alpine team logo.

  • BTC breaks through $63,000

    The market shows BTC has broken through $63,000 and is currently trading at $63,014.9, with a daily increase of 6.11%. The market is volatile, so please exercise caution in risk management.

  • The total gas consumption on the Base chain exceeds 10,000 ETH

    According to the blockchain analysis platform Dune Analytics, the total gas consumption on the Base chain has exceeded 10,000 ETH, reaching 10,839.5062 ETH at the time of writing (equivalent to over $33.6 million at current prices). The average gas usage amount is about $0.1754 per transaction (0.000059661 ETH), and the total number of blocks has reached 13.41 million, with an average transaction volume of about 14.63 transactions per block. In addition, the data shows that the total transaction volume on the Base chain has exceeded 196.2 million, with over 8.366 million users and over 184 million user transactions at the time of writing. Furthermore, the total number of contracts created on the Base chain has exceeded 64 million, reaching 64,056,573 in the current period.

  • A wallet received 2,000 ETH from Alemeda/FTX

    As monitored by The Data Nerd, 6 hours ago, wallet 0xaEa received 2,000 ETH (approximately $6.23 million) from Alemeda/FTX. Within a week, it received a total of 8,000 ETH (approximately $24.71 million) from Alameda and deposited 6,000 ETH into Binance.

  • A single transaction with a transaction fee of up to 1.5 BTC appeared on the Bitcoin chain

    According to on-chain data tracking service monitoring , there has been a single transaction on the Bitcoin network with a transaction fee as high as 1.5 BTC, worth about $100,254. It is reported that the sender of the transaction is an address starting with "bc1p4n" and the recipient is an address starting with "bc1pqv".

  • 2 wallets deposited 211 billion SHIB into Coinbase within 10 hours

    According to The Data Nerd's monitoring, within 10 hours, 2 wallets (with the same amount of SHIB) deposited a total of 211 billion SHIB (about 5.16 million US dollars) into Coinbase. These wallets accumulated these SHIBs last week, and if sold at the current price, it would cause a small loss (about 120,000 US dollars).

  • USDT issuance on TON chain reaches $100 million

    According to official data, the issuance and circulation of USDT on the TON chain has reached 100 million US dollars, making TON the fastest-growing blockchain for Tether USDT issuance in Web3 history.

  • In April, Polygon’s on-chain NFT sales exceeded US$50 million, setting the second highest record of the year

    According to Cryptoslam data, the NFT sales on Polygon chain in April exceeded 50 million US dollars, reaching 51,539,690.69 US dollars, setting the second highest monthly sales record in 2024, second only to January's sales of 112 million US dollars this year. In addition, the NFT trading volume on Polygon chain in April increased significantly to 1.5 million transactions, with nearly 90,000 independent sellers and over 33,000 independent buyers.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company