Skip to main content

Source: Сointеlеgrаph

A self-described “white hat” hacker discovered a “multi-million dollar vulnerability” in the bridge connecting Ethereum and Arbitrum Nitro and received a 400 ether (ETH) bounty for his discovery.

Known on Twitter as riptide, the hacker described the exploit as using an initialization function to set up a custom bridge address that intercepts all incoming ETH deposits from those trying to transfer funds from Ethereum to Arbitrum Nitro.

Riptide explained the exploit in a September 20 Medium post:

“We could either selectively target large ETH deposits to go undetected for a longer period of time, pump every deposit that goes across the bridge, or wait and just fire up the next large ETH deposit.”

The hack could potentially bring in tens or even hundreds of millions of ETH, as the largest deposit flow registered in a mailbox was 168,000 ETH worth over $225 million, with typical deposits ranging from 1,000 to 5,000 ETH in a 24-hour period ranging from 1.34 to $6.7 million.

Despite the potential profit from ill-gotten gains, riptide was grateful that the “extremely evolved Arbitrum team” provided a bounty of 400 ETH worth over $536,500, however they later added on Twitter that such a find “should be eligible for the maximum reward. which is worth $2 million.

Neither Arbitrum nor its maker OffChain Labs has publicly commented on the exploit, contacted OffChain Labs for comment but did not immediately receive a response.

Related: ETHW Confirms Exploitation of Contract Vulnerability, Rejects Replay Attack Claims

Arbitrum is a Level 2 Optimistic Rollup solution for Ethereum that bundles batches of transactions before sending them to the Ethereum network to minimize network congestion and save on fees. Arbitrum Nitro was launched on August 31st. This update aims to simplify communication between Arbitrum and Ethereum, as well as increase transaction throughput at lower fees.

Similar bridge hacks have been successful for exploiters this year, notably the $100 million stolen from the Horizon Bridge in June and the recent Nomad Token Bridge Incident in August where $190 million was stolen by original hackers and copycat hackers replicating the exploit. .

Source: Сointеlеgrаph

Leave a Reply