Arbitrum rewards hackers with 400 ETH for discovering a $400 million critical vulnerability

On September 19, Arbitrum, one of the most popular Layer 2 solutions for Ethereum, paid 400 ETH (~$560,000) to a white-hat hacker who found a potential vulnerability in its code.

The white-hat hacker, known on Twitter as Riptide, discovered vulnerabilities in smart contracts written in Solidity. Riptide said the “multi-million dollar weakness” could affect anyone looking to exchange money from Ethereum to Arbitrum Nitro.

Arbitrum prevented losses of millions of dollars

The hacker carefully scanned the Arbitrum Nitro code a few weeks before its release and checked the contracts so they could “see if the update worked”.

After the upgrade, Riptide noticed some bugs that prevented the dock from working properly. Upon further examination, Riptide noticed that the inbox organizer was experiencing delays.

“The client can send a message to the Sequencer by signing and posting the L1 transaction to the Arbitrum Chain’s delayed inbox. This feature is mostly used to deposit ETH or tokens via a bridge.”

After re-examining the nodes, Riptide confirmed that the inbox sequencer bug allowed a critical vulnerability in the nodes through which Riptide or another malicious hacker could earn millions of dollars by funneling ETH deposits from the L1 to L2 bridge into their wallets before they were discovered. . .

However, Riptide decided to report the vulnerability and apply for a reward instead, which to their surprise was just 400 ETH instead of the $2 million reward offered by Arbitrum as its maximum level. After receiving the reward, the hacker claimed that it was inconsistent with the significance of the error and the risk it posed.

It is worth noting that in March 2022, Arbitrum fell victim to an exploit by a hacker or group of hackers who stole over 100 NFTs from TreasureDAO, worth at least $1.4 million.

White Hat Hacker: Profitable Business in Crypto-Land

Independent auditing is of great importance in the crypto ecosystem. Over the course of the year, many platforms have chosen to pay bounties to white-hat hackers who report potential vulnerabilities in their code or smart contracts.

For example, in mid-February, Paid Coinbase The “largest bounty in its history” ($250,000) for a hacker called “Alpha Tree” for saving him from losing $1 billion due to a bug in the “Advanced Trading” feature.

At the time, the Tree of Alpha was grateful for the push that indicated it could do him good in retirement; But, like Riptide, he noted, “a higher reward would have been smart to deter more gray hats from exploiting vulnerabilities.”

Jay “Saurik” Freeman — who works on the Orchid decentralized VPN protocol and is a legend in the iOS jailbreak community —Received more than 2 million dollars To report a vulnerability in “Optimism”, a “layer 2 scaling solution” for Ethereum.

The post Arbitrum Rewards Hackers with 400 ETH appeared to discover the $400 million critical vulnerability first on CryptoPotato.

Leave a Comment