White Hat Discovers a Multi-million Dollar Vulnerability in ETH to Arbitrum Bridge

An anonymous white-hat hacker has discovered a “multi-million dollar vulnerability” in the bridge between Ethereum and Arbitrum Nitro and has been rewarded 400 Ether (ETH).

For Ethereum, Arbitrum offers layer-2 Optimistic Rollup, which clusters batches of transactions before submitting them to the Ethereum network to reduce congestion.

The Earning Potential from The ill-gotten Gains

The hacker, who goes by the name riptide on Twitter, explained that his exploit involved using an initializing function to set his own bridge address, which hijacked ETH deposits made from Ethereum to Arbitrum Nitro.

“We could either selectively target large ETH deposits to remain undetected for a longer period of time, siphon up every single deposit that comes through the bridge, or wait and just front-run the next massive ETH deposit,” explained Riptide in a Medium on September 20.

It is possible that the hack resulted in tens or even hundreds of millions of Ethereum, as the largest deposit riptide recorded in the inbox reached 168,000 ETH worth over $225 million, and the typical deposit ranged from 1000 to 5000 ETH in a 24-hour period, worth $1.34 to $6.7 million on average.

 Arbitrum team” provided a 400 ETH bounty, Riptide says

In spite of the potential earnings from the ill-gotten gains, Riptide was grateful to the Arbitrum team for providing a 400 ETH bounty, which is worth over $536,500; however, they tweeted later that such a find “should be eligible for a maxbounty,” which is $2 million.

“No big deal just bridging a cool $470mm through the same Inbox contract 👀, Definitely should be eligible for a max bounty”, tweeted riptide. 

The exploit has not been publicly discussed by Arbitrum or its creator company OffChain Labs.

Previously, there have been several similar bridge hacks this year, including the $100 million stolen from the Horizon Bridge in June and the $190 million stolen from the Nomad token bridge in August, when original and “copycat” hackers replicated the exploit.

For more info regarding Crypto Alpha and NFTs Alpha.  Always follow us on Twitter and Instagram.

Jamilatul Mahmudah

Related post