An unknown developer discovered a vulnerability that might have been exploited in the bridge that connects Ethereum with Arbitrum Nitro. As a result, another significant crypto hack in the cryptocurrency ecosystem was averted.
Riptide, a white hat hacker, was able to collect a bounty of 400 ETH by disclosing a critical flaw in the Ethereum scaling solution Arbitrum. This flaw would have made it possible for any hacker to steal all incoming deposits made between the Layer1 and Layer2 bridge. Riptide’s disclosure earned him the bounty.
Instead of taking advantage of the security flaw, the ethical hacker made the following observation: “My current interest is within the cross-chain field due to the complexity involved for the devs of these projects and the significant amount of user’s funds at risk due to the current “honeypot” structure of most bridge implementations.”
Another multi-million dollar exploit has been sidestepped by a hacker who wears a white hat
Riptide mentioned in a blog post that he was aware that Arbitrum Nitro was about to be released and that he had made the decision to monitor the effectiveness of the upgrade. However, after discovering the security breach, the ethical hacker noted that there was sufficient time to either selectively target large ETH deposits in order to remain undetected for a more extended period of time, siphon off every single deposit that passes through the bridge, or simply wait in order to front-run the next massive ETH deposit.
An initializer function is utilized by the Delayed Inbox of the Arbitrum chain. This inbox is utilized for the depositing of ETH or tokens via a bridge. The hacker that wore the white hat pointed out that “we can hijack all incoming ETH deposits from users seeking to bridge to Arbitrum using the depositEth() method.”
The majority of exploits target vulnerabilities found on crypto bridges
A bridge attack, which is becoming an increasingly prevalent method for hackers, was used earlier in the month of August to steal approximately $200 million from the crypto bridge Nomad. Just in this one year, there have already been a number of attacks, one of which cost $600 million and targeted the newly refurbished Ronin bridge of Axie Infinity.
According to Chainalysis, it has been alleged that hackers stole approximately $2 billion from the cryptocurrency business within the first six months of this year. In the meantime, it is anticipated that criminal groups operating in North Korea have already stolen one billion dollars’ worth of bitcoin from DeFi protocols in 2022 alone.
In addition to this, the incident has also sparked a discussion regarding the total amount of bounties paid out to developers and white hat hackers for finding vulnerabilities in the system. An Optimism developer who goes by the Twitter handle ‘smartcontracts.eth’ argued that the maximum reward could have been awarded given the potential impact of the fault. He also added, “Arbitrum bridge bug is critical one caused by bad initializers, in case we needed another reason to get rid of initializers,” which means that the bug was caused by bad initializers. Surprised that Arbitrum has only paid out 400 ETH and not the maximum incentive that was offered”.
The site reported that the largest important deposit recorded on the inbox contract was 168,000 ETH, which is close to $250 million. The blog also emphasized that the total deposits in 24 hours ranged from 1,000 to 5,000 ETH, which exposes the scale of a potential rug pull or hack.
Disclaimer: The opinion expressed here is not investment advice – it is provided for informational purposes only. It does not necessarily reflect the opinion of EGG Finance. Every investment and all trading involves risk, so you should always perform your own research prior to making decisions. We do not recommend investing money you cannot afford to lose.