Arbitrum, one of Ethereum’s most popular layer 2 scaling solutions, averted a catastrophic crisis when a white hat hacker alerted the platform about a critical bug he had discovered on the Arbitrum Nitro upgrade.
The discovery
The hacker, who goes by the name Riptide (@0xriptide) on Twitter, discovered the “multi-million dollar” vulnerability on the Ethereum-Arbitrum Nitro bridge. The bug would’ve enabled any bad actor to hijack incoming ETH deposits from users attempting to bridge to Arbitrum.
Riptide scanned the Arbitrum Nitro code before its intended release, to look for flaws. Upon execution of the “initializer”, he realized that the contract was “completely vulnerable” and opened the door for hackers to exploit the thousands of ETH deposits that the platform accepted every day.
Developers in the community are not particularly a fan of initializers and have criticized their use in codes.
Riptide often looks for bug bounties and focuses mainly on searching for vulnerabilities solely within smart contracts written in Solidity.
The reward
Being a white hat hacker, Riptide chose to inform Arbitrum of his discovery rather than exploiting the bug for personal gain. Of course, there is a bug bounty in place by several platforms to incentivize hackers to report such events.
In this case, Arbitrum rewarded the hacker with 400 ETH, which is a little more than half a million dollars. As per Riptide’s calculations, his efforts saved the platform more than $470 million, $225 million of which are associated with a single transaction.
He believes that his discovery was eligible for the maximum tier bounty of $2 million. “if you post a $2mm bounty- be prepared to pay it when it’s justified. Otherwise just say the max bounty is 400 ETH and be done with it.” he added while stating that cutting short the reward for honest work doesn’t do much to keep a white hat from straying towards a malicious path.
Earlier this year in March, TreasureDAO, the Arbutrum-based NFT marketplace, was exploited to the tune of $1.4 million after hackers managed to steal more than 100 NFTs from the platform.
Increasing bridge hacks
Blockchain intelligence firm Chainalysis reported last month that vulnerabilities in cross-chain bridges like the one mentioned above have emerged as a top security risk.
More than $1.3 billion have been lost to bridge hacks this year. The most notable 2022 bridge hacks include Ronin, Nomad, and Wormhole.
The Nomad protocol came under fire last month after it rolled out an NFT prize scheme in order to incentivize hackers to return their share of the $190 million that was lost in a hack on 2 August.