Avoid crypto scams

Arbitrum Gifts Hacker 400 ETH For Detecting a Critical $400M Vulnerability

Share article now

Arbitrum Gifts Hacker 400 ETH For Detecting a Critical $400M Vulnerability:

On September 19, Arbitrum, a popular Layer 2 solutions for Ethereum, rewarded 400 ETH (about $560,000) to a white hat hacker who found a potential vulnerability in its code.

The white hat hacker, known on Twitter as Riptide, search vulnerabilities within smart contracts written in Solidity.

Riptide said the “multi-million dollar vulnerability” could potentially affect anyone who wanted to exchange funds from Ethereum to Arbitrum Nitro.

No big deal just bridging a cool $470mm through the same Inbox contract 👀

Definitely should be eligible for a max bounty

🤯 https://t.co/w7S58QNQZu

— riptide (@0xriptide) September 20, 2022

The hacker thoroughly scrutinized Arbitrum Nitro code a few weeks before it was released, checking the contracts so they could “see if the update had been a success.”

After the upgrade, Riptide identified some errors that prevented the bridge from working correctly.

Upon further inspection, Riptide noticed that the inbox sequencer was experiencing a delay.

“A client can send a message to the Sequencer by signing and publishing an L1 transaction in the Arbitrum chain’s Delayed Inbox. This functionality is most commonly used for depositing ETH or tokens via a bridge.”

Going further, Riptide rescanned the contract, to confirm that the inbox sequencer bug allowed a critical vulnerability in the contract by which Riptide or another malicious hacker could take advantage of by diverting incoming ETH deposits from the L1 to the L2 bridge into their wallets before being detected.

My bug bounty write-up on a critical vulnerability I discovered on Arbitrum Nitro which allowed an attacker to steal all incoming ETH deposits to the L1->L2 bridge
https://t.co/WuR4RYUL3L@icodeblockchain @samiamka2 @Mudit__Gupta @0xRecruiter @BowTiedCrocodil @BowTiedDevil

— riptide (@0xriptide) September 20, 2022

However, Riptide made up his mind to report the vulnerability and apply for a reward instead, which to their surprise, was just 400 ETH instead of the $2 million reward Arbitrum offered as its maximum tier.

After receiving his reward, he argued that it was not in line with the importance of the bug and the risk it entailed.

My point is that if you post a $2mm bounty- be prepared to pay it when it’s justified. Otherwise just say the max bounty is 400 ETH and be done with it.

Hackers watch which projects pay out and which do not

IMO not a good idea to incentivize a whitehat to go blackhat

— riptide (@0xriptide) September 20, 2022

Meanwhile, the crypto space has become a job creation space even for white hat hackers.

Instead of exploiting money from people, you can ask for rewards after finding a major smart contract bug.

However, some black hat hackers were once a white hat.

Leave a Comment

Your email address will not be published.