The white hat hacker, riptide, claimed a bounty of 400 ETH by revealing a critical bug on the Ethereum scaling solution Arbitrum that could have allowed any hacker to steal all incoming deposits between the Layer1 and Layer2 bridge.
Instead of exploiting the breach, the ethical hacker noted, “My current interest is within the cross-chain arena due to the complexity involved for the developers of these projects and the significant amount of funds at risk due to the current ‘honeypot’ structure of most bridge implementations.”
Ethical white hat hacker diverts another multi-million dollar exploit
Riptide noted in a blog post that he knew Arbitrum Nitro was launching and decided to keep an eye on the upgrade to check its success. However, after finding the security breach, the ethical hacker noted there was enough time to selectively target large ETH deposits to remain undetected for a more extended period, siphon off every single deposit that passes through the bridge, or simply wait and front-run the next massive ETH deposit.
Arbitrum chain’s Delayed Inbox, which is used for depositing ETH or tokens via a bridge, uses an initializer function. The white hat hacker noted that “we can hijack all incoming ETH deposits from users attempting to bridge to Arbitrum via the depositEth() function.”
Vulnerabilities on crypto bridges are the most exploited
Earlier in August, crypto bridge Nomad was exploited for nearly $200 million as bridge attacks are a growingly common tactic for criminals. Numerous attacks have occurred this year alone, including the $600 million attack on the relaunched Ronin bridge of Axie Infinity.
Hackers reportedly stole nearly $2 billion from the DeFi industry during the first six months of this year, according to Chainalysis. Meanwhile, it is also estimated that North Korean criminal groups already took $1 billion in cryptocurrency from DeFi protocols in 2022 alone.
With that, the incident has also started a debate around the number of bounties handed over to the developers and white hat hackers for exposing weaknesses. An Optimism developer, who uses the Twitter handle ‘smartcontracts.eth,’ argued that given the potential impact of the fault, the maximum reward could have been given, adding, “Arbitrum bridge bug is critical bridge bug #3 caused by bad initializers, in case we needed another reason to get rid of initializers. Surprised Arbitrum only paid 400 ETH and not [the] max bounty given.”
The blog highlighted that the most significant deposit recorded on the inbox contract was 168,000 ETH (close to $250 million), with total deposits in 24 hours ranging from ~1000 to ~5000 ETH, exposing the extent of a potential rug pull or hack.