White Hat Hacker Finds Arbitrum Bug And Saves the Day

Arbitrum bug

Key Points:

  • A white hat hacker has claimed a reward of 400 ETH after identifying a potential Arbitrum bug.
  • A bug in the contract would have allowed hackers to obtain millions of dollars.
  • There is a way to hack ETH deposits from users trying to bridge onto Arbitrum.

Riptide, a white hat hacker, revealed a critical bug on the Ethereum scaling solution Arbitrum and claimed a reward of 400 ETH. He carefully scanned the contract, and after rescanning it, he confirmed that an inbox sequencer bug allowed a crucial vulnerability in the contract that would have allowed hackers to obtain millions of dollars. This can be achieved by diverting the incoming ETH deposits from the L1 to the L2 bridge into the attacker’s wallet before they are detected.

The possible hack could have netted hundreds or thousands in Ether, as the largest amount deposited into Riptide’s inbox was 168,000 Ether, worth over $225 million in total. On average, the deposits were between 1000 and 5000 ETH and the price ranged from $1.34 to $6.7 million.

Riptide Disappointed By The Arbitrum Bug Payout

Instead of using the opportunity to benefit from the security breach, Riptide said that “My current interest lies in cross-chain projects because of their complexity and the significant amount of money at risk due to the ‘honeypot’ structure.” After discovering the security breach, he noted that there was enough time to choose to leave large ETH deposits undetected for a while. Either remove all the deposits that passed through the bridge or give up and move on to the next major ETH deposit. Although Riptide was grateful that the Arbitrum crew offered a 400 ETH bounty, he was so disappointed with the low reward amount. 

Arbitrum bug

The Arbitrum Chain delayed inbox, which is used to deposit ETH or tokens, implements an initializer function. Riptide pointed out that “there is a way to hijack all ETH deposits from users trying to bridge onto the Arbitrum network via the depositAuth() function. Riptide also said in a blog post mentioning his knowledge of Arbitrum Nitro launching, stating that he was waiting to see how successful the upgrade would be.

Hacking attacks on crypto exchanges are one of the largest safety hazards in the digital currency business. Remember that Arbitrum suffered a hacking exploit in March 2022 and lost over 100 NFTs from TreasureDAO. 

The Arbitrum bug if exploited would have joined a line of other attacks that have have plagued the cryptocurrency industry over the years. Those attacks have led to losses of over $1 billion so far this year, and there is no sign that hackers will stop their efforts anytime soon. 

Hacking incidents may involve exploitable vulnerabilities in cryptographic networks. Some white hat hackers have been known to report faults in the protocols they find and to receive a reward for their efforts. However, other hackers exploit any vulnerabilities they find in order to steal money from the systems.

Basil Kimathi

Basil Kimathi

Basil is an avid fan of blockchain technology and all its innovations and is passionate about sharing this narrative with his audience. He boosts over four years within the crypto space specializing in research and creating fintech content for various media outlets around the globe. His work has been published on top websites such as usethebitcoin.com, European Blockchain Convention, BTCpeers, coinjournal.net, coinlist.me, and many others. When not thinking about disruptive technologies, Basil is busy exploring the outdoors. You can find him on Twitter using the link below. https://twitter.com/basil_kimathi