A “white hat” hacker who collaborates with companies has discovered a bug in the latest update to the Arbitrum platform, a scalable Ethereum network, that could have led to the theft of more than $530 million.
Arbitrum’s construction company, OffChain Labs, rewarded the hacker, who operates under the alias 0xriptide, with a reward of 400 ETH (worth approximately $530,000) for sharing the discovery with the company – an amount equivalent to just 0.1% of the total threatened.
Arbitrum released its latest update, Nitro, on August 31, in anticipation of the Ethereum Merger, the network’s long-awaited transition from a proof-of-work (PoW) consensus mechanism to proof-of-stake (PoS).
Immediately after Nitro’s release, 0xriptide began scouring code for vulnerabilities, according to a blog post by the hacker detailing the discovery.
Arbitrum bug hunt
Ethereum scalability networks such as Arbitrum navigate around the slow mainnet speed of expensive transaction fees, “rolling” a large amount of transactions into a separate chain and then relaying them back to the mainnet. Ethereum as a single transaction.
This substantially increases the speed and accessibility of transactions, but can also expose users to vulnerabilities.
0xriptide discovered that the bridge between the main Ethereum network and Nitro contained a flaw that would allow any hacker to replace Arbitrum’s destination address with their own. Essentially, any funds earmarked from Ethereum to Arbitrum could be redirected directly to a hacker’s wallet.
According to 0xriptide, an attacker could have manipulated the bug to select massive individual deposits and evade detection, or divert the entire flow of deposits received from Arbitrum. In the period between Nitro’s debut in late August and when 0xriptide notified OffChain Labs of the bug, more than 400,000 ETH was transferred using this route, according to data from a Dune Analytics dashboard.
0xriptide also noted that over the past three weeks, the largest single deposit on Aribtrum was 168,000 ETH, or $225 million. During this period, however, no hackers exploited the bug, and Arbitrum suffered no attacks.
Ethereum attacks grow
So-called cross-chain bridge attacks, such as the one 0xriptide may have prevented, are becoming commonplace in the world of Ethereum applications. In March, the Lazarus Group, a hacking group affiliated with North Korea, stole $622 million by infiltrating a bridge used by the game Axie Infinity. That same group earned $100 million in June targeting another Ethereum bridge, used by the Harmony Protocol.
Upon confirmation of the Nitro flaw, OffChain Labs sent 0xriptide a payment of 400 ETH, or just over $530,000, via the web3 bug bounty platform ImmuneFi.
“Thanks to the extremely serious Arbitrum team for providing a reward of 400 ETH and of course for creating an incredible technological breakthrough with their L2 implementation,” 0xriptide wrote on Monday.
The hacker may have developed doubts about the value of his discovery, however. On Tuesday, he tweeted that given the hundreds of millions of dollars saved, Arbitrum could have been more generous:
No big deal just bridging a cool $470mm through the same Inbox contract 👀
Definitely should be eligible for a max bounty
— riptide (@0xriptide) September 20, 2022
*Translated with permission from Decrypt.co.
This is the best time in history to invest in crypto! And now, you can access an exclusive course from top crypto experts to learn the fundamentals and techniques that help you navigate the ups and downs of the market. register here