Arbitrum Rewards Hacker With 400 ETH For Detecting a Critical $400M Vulnerability
On Sept. 19, Arbitrum, one of Ethereum’s most popular Layer 2 solutions, paid 400 ETH (about $560,000) to a white-hat hacker who discovered a potential vulnerability in its code.
The white hat hacker, known on Twitter as Riptide, discovered a vulnerability in a smart contract written in Solidity.torrent Say A “multi-million dollar bug” could affect anyone looking to swap funds from Ethereum to Arbitrum Nitro.
No big deal, just pay a cool $470 through the same inbox contract 👀
Definitely should be eligible for maximum bounty
— Torrent (@0xriptide) September 20, 2022
Arbitrum avoids multi-million dollar losses
The hackers thoroughly scanned the Arbitrum Nitro code in the weeks before the release, checking the contract so they could “see if the update was successful.”
After the upgrade, Riptide noticed some bugs that prevented the bridge from working properly. Upon further inspection, Riptide noticed a delay in the inbox sequencer.
“Clients can send messages to the Sequencer by signing and publishing L1 transactions in the Arbitrum chain’s delayed inbox. This feature is most commonly used to deposit ETH or tokens via bridges.”
After rescanning the contract, Riptide confirmed that the inbox sequencer vulnerability allows a critical vulnerability in the contract, through which Riptide or other malicious hackers could get into their wallets by transferring incoming ETH deposits from L1 to L2 bridge, Then it gets detected again, earning millions of dollars.
A bug bounty report for a critical vulnerability I found on Arbitrum Nitro that allows an attacker to steal all incoming ETH deposits to the L1->L2 bridge
https://t.co/WuR4RYUL3L@icodeblockchain @samiamka2 @Mudit__Gupta @0x recruiter @BowTiedCrocodil @BowTiedDevil— Torrent (@0xriptide) September 20, 2022
However, Riptide decided to report the bug and apply for a reward, and to their surprise, it was only 400 ETH, not the $2 million maximum reward offered by Arbitrum. After receiving the reward, the hacker argued that it did not correspond to the importance of the vulnerability and the risks it posed.
My point is that if you post a 2mm bounty, be prepared to pay it when it makes sense. Otherwise, just say the maximum bounty is 400 ETH.
Hackers watch which items pay and which don’t
IMO not a good idea to encourage white hats to go black
— Torrent (@0xriptide) September 20, 2022
It is worth mentioning that in March 2022, Arbitrum fell victim to an attack where a hacker or group of hackers stole over 100 NFTs from TreasureDAO with a valuation of at least $1.4 million.
White Hat Hacking: A Profitable Business in Crypto-Land
Independent auditing is very important in the crypto ecosystem. During the year, some platforms opted to pay bounties to white hat hackers who report potential vulnerabilities in their code or smart contracts.
For example, in mid-February, Coinbase Payments The “largest bounty in its history” ($250,000) was given to a hacker named “Tree of Alpha” to save them from billions of dollars in losses due to a flaw in the “Advanced Transactions” feature.
At the time, Alpha Tree thanked the payment, saying it would serve him well in retirement. However, like Torrent, he noted that “higher bounties may be sensible to deter more grey hat exploits.”
In addition, Jay “Saurik” Freeman — who works with the decentralized VPN protocol Orchid, is a legend in the world. iOS Jailbreak Community—Received over $2 million For reporting vulnerabilities in Optimism, Ethereum’s “Layer 2 scaling solution”.
Binance Free $100 (Exclusive): Use this link to sign up and get $100 for free and a 10% fee discount for your first month on Binance Futures (Terms).
PrimeXBT Special Offer: Use this link to sign up and enter code POTATO50 to get a deposit of up to $7,000.
