Riptide, a white hat hacker that found a vulnerability on Arbitrum, tweeted that his discover was eligible for the max bounty reward of $2 million as a substitute of the 400 ETH ($53,000) reward he received.
No large deal simply bridging a cool $470mm by way of the identical Inbox contract 👀
Positively must be eligible for a max bounty
— riptide (@0xriptide) September 20, 2022
Ethereum scaling device Arbitrum escaped a multimillion-dollar hack after the hacker noticed a vulnerability within the bridge connecting the layer2 community to ETH’s mainnet. The vulnerability affected how transactions are submitted and processed on the community and would have allowed malicious gamers to steal all of the funds despatched to the layer2 community.
In accordance to the white hat hacker, incoming transactions to Arbitrum by way of the bridge may very well be hijacked by malicious gamers who might set their handle because the recipient handle.
Riptide continued that such an exploit might have gone undetected for a very long time if the hacker focused solely massive ETH deposits, or they may have simply front-ran the subsequent main ETH deposit.
Provided that the biggest deposit on the inbox contract within the final 24 hours was 168,000 ETH ($250 million), exploiting the vulnerability might have led to a lack of a whole bunch of hundreds of thousands.
Whereas Riptide initially praised Arbitrum for the 400 ETH reward, the white hat hacker later tweeted that his work deserved the utmost bounty of $2 million.
“My level is that in the event you publish a $2mm bounty — be ready to pay it when it’s justified. In any other case, simply say the max bounty is 400 ETH and be carried out with it. Hackers watch which tasks pay out and which don’t. IMO not a good suggestion to incentivize a whitehat to go blackhat.”
Riptide’s new feedback have been made after a Twitter consumer confirmed that the bridge was lately used to switch over $400 million.
Doing this once more since my different quote tweet received censored by tweeter. Arbitrum bridge bug is vital bridge bug #3 brought on by dangerous initializers, in case we would have liked one more reason to eliminate initializers. Stunned Arbitrum solely paid 400 ETH and never max bounty given deposits like: https://t.co/Lx32UVjDtF pic.twitter.com/cmSx1HMI1k
— smartcontracts.eth (✨🔴_🔴✨) (@kelvinfichter) September 20, 2022
In the meantime, bridge exploits are one of many greatest safety considerations within the crypto trade presently. Assaults on bridges have led to the loss of just about $1 billion up to now yr alone.