A self-proclaimed white hat hacker revealed a “multi-million dollar vulnerability” in the bridge connecting Ethereum and Arbitrum Nitro and received a 400 Ether (ETH) reward for their discovery.
The hacker, known as riptide on Twitter, described the exploit as using the initialization function to set their own bridge address, which would destroy all incoming ETH deposits from Ethereum to Arbitrum Nitro.
Riptide explained the exploit in a Medium post on September 20:
“In order for large ETH deposits to remain undetected for a long time, we collect each deposit that comes through the bridge or choose to wait for the next large ETH deposit and process it forward.”
Since the largest deposit recorded in Inbox was 168,000 ETH worth more than $225 million, and a typical deposit is worth between 1000 and 5000 ETH in a 24-hour period, the hack could have involved tens or hundreds of millions of ETH. Between 1.34 and 6.7 million dollars.
Despite the potential to profit from the ill-gotten gains, the “most grounded Arbitrum team” is thankfully offering a bonus of 400 ETH worth more than $536,500. ” That’s $2 million.
Just hooking up a cool $470mm with the same inbox contract is no big deal.
It should definitely qualify for a higher bonus.
https://t.co/w7S58QNQZu
— Riptide (@0xriptide) September 20, 2022
Neither Arbitrum nor the developer’s company, OffChain Labs, have publicly commented on the exploit, Cointelegraph reached out to OffChain Labs for comment, but it did not immediately respond.
Related: ETHW verifies contract vulnerability exploitation, rejects re-attack requests
Arbitrum is a Layer-2 Optimistic Packet solution for Ethereum, aggregating batches of transactions before submitting them to the Ethereum network to reduce network congestion and save fees. Arbitrum Nitro was launched on August 31, an update aimed at simplifying the relationship between Arbitrum and Ethereum, as well as increasing transaction volume with lower fees.
Similar bridge hacks have been successful for exploiters this year, most notably the $100 million stolen from Horizon Bridge in June and the Nomad Token Bridge incident in August in which $190 million was leaked from the original and “copycat” hackers replicated the exploit.