Specifically, a user could deposit a specific amount to the Polygon Plasma Bridge, withdraw the entire sum, and then submit the same withdrawal transaction an additional 223 times, each time receiving the full amount. Basically, one could deposit $1 million and withdraw $224 million.
With the DepositManager for the Plasma Bridge holding roughly $850 million in total, an attacker could have depleted the entire amount using multiple fraudulent transactions.
