Arbitrum paid 400 ETH to a code bounty hunter (about $520,000) in exchange for finding a vulnerability between Ethereum, Arbitrum Nitro and other blockchains. This vulnerability could have affected more than $250,000,000, but was not discovered until any funds were stolen.
Arbitrum has released details about a vulnerability and a bounty. This exploit could have harmed more than $250 million.
The vulnerability was discovered by a pseudonymous solidity bounty hunters “0xriptide.” This could have affected anyone who tried to bridge funds between Ethereum and Arbitrum Nitro, 0xriptide stated.
Arbitrum vulnerability finder goes by the name of 0xriptide
Arbitrum paid 0xriptide 400 Ethereum (about $520,000) in compensation for being alerted to the vulnerability.
0xriptide’s day to-day consists of scanning ImmuneFi, which is a bug bounty platform that has stopped hacks worth more than $20 trillion. He has been focusing on cross-chain exploits as they present a greater risk to funds due to the honeypot structure of bridge protocols.
He began his search for the Arbitrum exploit a few weeks before the Arbitrum Nitro upgrade. After his initial investigation, he discovered a vulnerability in which the bridging contract could accept deposits even though it was initially created.
“When you find an uninitialized address in Solidity, you should take a moment and pause to investigate further. You never know if it was intentionally left uninitialized by mistake or purposely left unsanctioned.”
What the bridge exploit is0xriptide discovered that a hacker could set their own address to act as the bridge and steal all incoming ETH deposits from Etheruem, Arbitrum Nitro, and other addresses.
The hacker could have targeted larger ETH deposits to hide their actions or launched a guerrilla-style attack to siphon all funds coming in.
The maximum deposit made during the time the exploit was possible was 168,000 ETH or $250 million. In any 24-hour period where the vulnerability could be exploited, the average deposit was between 1,000 and 5,000 ETH.