2 years ago
Riptide, a achromatic chapeau hacker that discovered a vulnerability connected Arbitrum, tweeted that his find was eligible for the max bounty reward of $2 cardinal alternatively of the 400 ETH ($53,000) reward helium got.
No large woody conscionable bridging a chill $470mm done the aforesaid Inbox declaration 
Definitely should beryllium eligible for a max bounty
— riptide (@0xriptide) September 20, 2022
Ethereum scaling instrumentality Arbitrum escaped a multimillion-dollar hack aft the hacker spotted a vulnerability successful the span connecting the layer2 web to ETH’s mainnet. The vulnerability affected however transactions are submitted and processed connected the web and would person allowed malicious players to bargain each the funds sent to the layer2 network.
The vulnerability
According to the achromatic chapeau hacker, incoming transactions to Arbitrum done the span could beryllium hijacked by malicious players who could acceptable their code arsenic the recipient address.
Riptide continued that specified an exploit could person gone undetected for a agelong clip if the hacker targeted lone ample ETH deposits, oregon they could person conscionable front-ran the adjacent large ETH deposit.
Given that the largest deposit connected the inbox declaration successful the past 24 hours was 168,000 ETH ($250 million), exploiting the vulnerability could person led to a nonaccomplishment of hundreds of millions.
Bounty reward
While Riptide initially praised Arbitrum for the 400 ETH reward, the achromatic chapeau hacker aboriginal tweeted that his enactment deserved the maximum bounty of $2 million.
Riptide said:
“My constituent is that if you station a $2mm bounty — beryllium prepared to wage it erstwhile it’s justified. Otherwise, conscionable accidental the max bounty is 400 ETH and beryllium done with it. Hackers ticker which projects wage retired and which bash not. IMO not a bully thought to incentivize a whitehat to spell blackhat.”
Riptide’s caller comments were made aft a Twitter idiosyncratic showed that the span was precocious utilized to transportation implicit $400 million.
Doing this again since my different punctuation tweet got censored by tweeter. Arbitrum span bug is captious span bug #3 caused by atrocious initializers, successful lawsuit we needed different crushed to get escaped of initializers. Surprised Arbitrum lone paid 400 ETH and not max bounty fixed deposits like: https://t.co/Lx32UVjDtF pic.twitter.com/cmSx1HMI1k
— smartcontracts.eth (
_) (@kelvinfichter) September 20, 2022
Meanwhile, span exploits are 1 of the biggest information concerns successful the crypto manufacture presently. Attacks connected bridges person led to the loss of astir $1 cardinal successful the past twelvemonth alone.
The station White chapeau hacker grumbles implicit Arbitrum bounty reward aft redeeming web from $475M loss appeared archetypal connected CryptoSlate.
English (US) 