Self-described white-hat hacker, he discovered a multi-million-dollar vulnerability in the bridge connecting Ethereum and Arbitrum Nitro. He was awarded a bounty of 400 Ether ( ETH).
The hacker is known as “riptide” on Twitter. He described the exploit as using an initializing function for setting their own bridge address. This would then hijack all incoming Ethereum deposits from those trying arbitrum nitrogen funds.
Riptide described the exploit in Medium post, Sept. 20,:
“We could choose to target large ETH deposits selectively, so they are not detected for a longer time, siphon off every single deposit that passes through the bridge, and wait, or just front-run any new massive ETH deposit.”
The hack could have netted millions of ETH. The largest deposit riptide in the inbox was 168,000ETH. It was worth more than $225 million. Typical deposits ranged between 1000 and 5000 ETH over a 24-hour period. They were worth $1.34 million to $6.7 million.
Related: Vitalik Buterin, who helped start Ethereum, talks about his ideas for layer-3 protocols.
Riptide was grateful that the Arbitrum team provided a 400-ETH bounty worth more than $536,500. However, they later added on Twitter that such a bounty “should be eligible to a maximum bounty,” which is worth 2 million.
It’s not a big deal, just to bridge a cool $470mm through the exact same Inbox contract
You should definitely be eligible to receive a maximum bounty
— riptide (@0xriptide) September 20, 2022
Asian Trade reached out to OffChain Labs but was not immediately able to get a response.
Arbitrum is a layer-2 Optimistic rollup solution for Ethereum. It clusters transactions before submitting them to the Ethereum network to reduce network congestion and lower fees. Arbitrum Nitro was launched Aug. 31st. This upgrade aims to simplify communication between Arbitrum, Ethereum and increase transaction throughput while charging lower fees.
Related: After Merge, Ether will spend $20 billion in Shanghai, according to the cryptoverse.
Similar hacks of bridges have been successful this year for exploiters, such as the $100m theft from the Horizon Bridge in Juni and the Nomad token bridge incident August which saw $190m drained by both the original and copycat hackers.