Three Polkadot Parachains Discovered with Vulnerabilities

Three leading Polkadot parachains—Acala, Moonbeam, and Astar—have been found with critical vulnerabilities but have been patched promptly.

Polkadot Parachains Exposed to Security Flaws

A security expert has uncovered a software vulnerability that could jeopardize up to $200 million worth of assets across three top Polkadot parachains: Acala, Moonbeam, and Astar.

Specifically, the expert known as pwning.eth identified issues related to the wrap token mechanisms of all three parachains as far back as June 2022. The vulnerabilities were reported to the bug bounty platform Immunefi and were only recently disclosed.

Learn More: What is a Bug Bounty? Challenges Facing Web3's "Bug Hunting" Programs

The flaw could be exploited to mint an unlimited amount of wrap tokens, including Wrapped Astar (WASTR) on Astar, Wrapped Moonbeam (WGLMR) on Moonbeam, and Wrapped Moonriver (WMOVR) on Moonriver—a network closely related to Moonbeam. The potential damage from this vulnerability could reach up to $200 million.

Upon reporting the bug, Acala, Moonbeam, and Astar swiftly collaborated to deploy a fix.

As a result of this discovery, pwning.eth received a $1 million reward from Immunefi. This individual is no stranger to bug bounty rewards; in early 2022, pwning.eth earned $6 million for identifying a flaw in Aurora, an EVM bridge for Near Protocol, which saved 70,000 ETH.