ZenGo analyzed the internal workings of Polygon’s bridge as part of its continuous research into blockchains and their security mechanisms. There, the company found forgotten bridged tokens worth millions of dollars that their owners still needed to retrieve.
According to the firm, cryptocurrency users have left $27 million in unclaimed assets on the Polygon bridge, possibly due to the two-step withdrawal process.
Similar transactions but different processes
Cryptocurrency users can transfer tokens across the two blockchains via this bridge across Polygon and Ethereum. A user only needs one transaction to connect from Ethereum to Polygon. On the contrary, to correctly withdraw assets in Ethereum, customers must first send their money to Ethereum, wait for about an hour, and then collect their assets in a second transaction.
According to cryptocurrency wallet ZenGo in a blog post, over 35,000 transfers back to the Ethereum side of the bridge that needs to be supported by subsequent claims. The amount sent here totals about $27 million, divided between ETH and the stablecoins USDT, USDC, and DAI.
How ZenGo found the missing funds
By comparing ‘burned’ transactions on the Polygon end with their corresponding claim transactional operations on the Ethereum side, ZenGo attempted to identify the missing funds. They did this by utilizing a brand-new cross-chain query engine that Dune Analytics recently created.
Using this method, they could confirm more withdrawal requests on the Polygon end than the anticipated corresponding claim requests on the Ethereum end. There were roughly 3000 withdrawal calls that couldn’t be connected to a USDT claim.
Polygon team helps one user who hadn’t reclaimed $2 million
Before it was published, ZenGo discussed this analysis with the Polygon group. The Polygon team decided to conduct a claim transfer on one user’s behalf, who had left $2 million in unclaimed payments on the bridge. The withdrawal procedure was never fully completed when this person delivered the tokens back to the Ethereum end of the bridge in May.
Anybody can make a claim transactional operation, but the money always goes to the asset owner. The transaction fee must be paid by whoever initiates the claim process.
Even though it’s challenging to comprehend how someone could simply ‘forget’ about millions of dollars, ZenGo Co-Founder and CTO Tal Be’ery said that they believe it may be linked to the fact that extra transactions are necessary. The finances are not immediately available, which leaves room for such errors.
The money has yet to be lost, though. According to a direct message from Mudit Gupta, the chief information security officer at Polygon, some may be on the verge of being transferred to the Ethereum chain. Gupta also mentioned that some users might have unintentionally moved some money to the Ethereum address.