White hat finds huge vulnerability in ETH to Arbitrum bridge: Wen max bounty?
A self-proclaimed white hat hacker has found a “multi-million dollar vulnerability” in the bridge connecting Ethereum and Arbitrum Nitro and has been awarded a bounty of 400 ether (ETH).
The hacker, known as riptide on Twitter, described the vulnerability as using an initialization function to set up their own bridge addresses, which would hijack all incoming ETH deposits from those trying to connect funds from Ethereum to Arbitrum Nitro.
Riptide explains the exploit in Medium postal September 20:
“We can selectively lock large ETH deposits to go undetected for a longer period of time, suck up every deposit that goes through the bridge, or wait and run early for the next large ETH deposit.”
The hack could net tens or even hundreds of millions worth of ETH, as the largest deposit torrent recorded in the inbox was 168,000 ETH worth over $225 million, with typical deposits going from 1,000 to 5,000 ETH in 24 hours. etc., worth between $1.34 and $6.7 million.
Despite the potential income from the ill-gotten gains, riptide thanked the “very basic Arbitrum team” for offering a bounty of 400 ETH worth over $536,500, but they later added on Twitter that such a discovery “should be eligible for the maximum bounty,” i.e. worth $2 million.
No big deal, just bridging a cool 470mm through the same inbox contract
Definitely should be eligible for maximum bounty
— Torrent (@0xriptide) September 20, 2022
Neither Arbitrum nor its creator company, OffChain Labs, have publicly commented on the vulnerability, and Cointelegraph reached out to OffChain Labs for comment but did not immediately hear back.
related: ETHW confirms contract exploit, dismisses replay attack claim
Arbitrum is Ethereum’s Layer 2 Optimistic Rollup solution that clusters batches of transactions before submitting them to the Ethereum network to minimize network congestion and save fees. Launched on August 31st, Arbitrum Nitro is an upgrade designed to simplify communication between Arbitrum and Ethereum and increase its transaction throughput with lower fees.
This year, similar styles of bridge hacks have been successful for exploiters, notably the $100 million stolen from Horizon Bridge in June and the recent Nomad Token Bridge incident in August, which led to the original hack and the “copycat” “Hackers repeatedly exploited this vulnerability and lost $190 million.