Arbitrum, one of Ethereum’s most popular Layer 2 scaling solutions, averted a catastrophic crisis when a white-hat hacker alerted the platform to a critical bug he discovered while upgrading Arbitrum Nitro.
The hacker, who goes by the name Riptide (@0xriptide) on Twitter, discovered “Multi-Million Dollar” Vulnerability in Ethereum-Arbitrum Nitro Bridge. The flaw would allow any bad actor to hijack incoming ETH deposits from users trying to switch to Arbitrum.
Riptide scanned Arbitrum Nitro’s code ahead of its planned release to look for bugs. After executing the “initializer”, he realized that the contract was “completely vulnerable” and opened the door for hackers to exploit the thousands of ETH deposits that the platform accepted every day.
Developers in the community aren’t really fans of initializers and they have criticized their use in codes.
Riptide often claims bug bounties and focuses mainly on finding vulnerabilities exclusively within smart contracts written in Solidity.
Being the white hat hacker that he is, Riptide decided to inform Arbitrum of his discovery rather than exploit the bug for personal gain. Of course, there is a bug bounty on several platforms to encourage hackers to report such events.
In this case, Arbitrum rewarded the hacker with 400 ETH, which is just over half a million dollars. According to Riptide’s calculations, its efforts have saved the platform more than $470 million, $225 million of which is related to a single transaction.
He believes his discovery was eligible for the maximum reward of $2 million. “If you post a 2mm bounty – be prepared to pay it when it’s warranted. Otherwise just say the max reward is 400 ETH and be done with it.” he added, stating that cutting the reward for honest work does little to prevent a white hat from straying down a malevolent path.
Earlier this year in March, TreasureDAO, an NFT marketplace based on Arbutrum, was exploited to the tune of $1.4 million after hackers managed to steal more than 100 NFTs from the platform.
More hacks on bridges
Blockchain intelligence firm Chainalysis registered last month that vulnerabilities in cross chain bridges like the one mentioned above have emerged as the biggest security risk.
More than $1.3 billion was lost to bridge hacks this year. The most notable bridge hacks of 2022 include Ronin, Nomad, and Wormhole.
The Nomad protocol came under fire last month after announcing an NFT reward scheme to encourage the hackers to return their share of the $190 million that was lost in the August 2nd hack.