An anonymous white-hat hacker has discovered a “multi-million dollar vulnerability” in the bridge between Ethereum and Arbitrum Nitro and has been rewarded 400 Ether (ETH).
For Ethereum, Arbitrum offers layer-2 Optimistic Rollup, which clusters batches of transactions before submitting them to the Ethereum network to reduce congestion.
The Earning Potential from The ill-gotten Gains
The hacker, who goes by the name riptide on Twitter, explained that his exploit involved using an initializing function to set his own bridge address, which hijacked ETH deposits made from Ethereum to Arbitrum Nitro.
“We could either selectively target large ETH deposits to remain undetected for a longer period of time, siphon up every single deposit that comes through the bridge, or wait and just front-run the next massive ETH deposit,” explained Riptide in a Medium on September 20.
It is possible that the hack resulted in tens or even hundreds of millions of Ethereum, as the largest deposit riptide recorded in the inbox reached 168,000 ETH worth over $225 million, and the typical deposit ranged from 1000 to 5000 ETH in a 24-hour period, worth $1.34 to $6.7 million on average.
Arbitrum team” provided a 400 ETH bounty, Riptide says
In spite of the potential earnings from the ill-gotten gains, Riptide was grateful to the Arbitrum team for providing a 400 ETH bounty, which is worth over $536,500; however, they tweeted later that such a find “should be eligible for a maxbounty,” which is $2 million.
“No big deal just bridging a cool $470mm through the same Inbox contract 👀, Definitely should be eligible for a max bounty”, tweeted riptide.
No big deal just bridging a cool $470mm through the same Inbox contract 👀
Definitely should be eligible for a max bounty
— riptide (@0xriptide) September 20, 2022
The exploit has not been publicly discussed by Arbitrum or its creator company OffChain Labs.
Previously, there have been several similar bridge hacks this year, including the $100 million stolen from the Horizon Bridge in June and the $190 million stolen from the Nomad token bridge in August, when original and “copycat” hackers replicated the exploit.