A white hat hacker known as Riptide managed to find a vulnerability in the Arbitrum Layer 2 Scaling Network. The identification saved the network from losing around BRL 2.4 billion in an eventual attack on the bug. As a reward for reporting the flaw, the hacker received 400 ETH, that is, around BRL 2.77 million considering the current price. However, for the hacker, the value given was not in line with what would be fair. After all, the Arbitrum network has a maximum reward of US$ 2 million (more than R$ 10 million) for anyone who identifies a major failure.
Hacker detects critical vulnerability in Arbitrum
The hacker was able to detect a vulnerability in the bridge (“bridge”) that connects the Layer 2 network to the main ETH network. In practice, this flaw had the potential to affect the way transactions are sent and processed on the network. Furthermore, it could allow malicious actors to steal all funds sent to the layer 2 network. According to the hacker, the bug could affect any depositor trying to transfer funds from the Ethereum network to Arbitrum Nitro, the latest version. of Arbitration. Thus, hackers could “hijack” the transactions received on Arbitrum through the bridge. Then they could set your address as the recipient of the transaction and steal the funds. Also according to Riptide, an eventual exploit could have gone unnoticed for a long time if the hacker only targeted large deposits of Ether (ETH).
low reward
Given that the biggest deposit in the contract in the last 24 hours was 168,000 ETH ($250 million), exploiting the vulnerability could have led to a loss of millions, the hacker explained on his blog. At the end of the blog post, Riptide thanked Arbitrum for the 400 ETH reward. However, he later learned that the bridge was used to send over US$475 million.
Doing this again since my other quote tweet got censored by tweeter. Arbitrum bridge bug is critical bridge bug #3 caused by bad initializers, in case we needed another reason to get rid of initializers. Surprised Arbitrum only paid 400 ETH and not max bounty given deposits like: https://t.co/Lx32UVjDtF pic.twitter.com/cmSx1HMI1k
— smartcontracts.eth (✨🔴_🔴✨) (@kelvinfichter) September 20, 2022
“Doing it again as my other quote tweet was censored by Twitter. The Arbitrum bridge bug is a #3 critical bug caused by bad launchers. As if we needed another reason to get rid of launchers. Surprised Arbitrum only paid 400 ETH and not the maximum reward,” tweeted @kelvinfichter. So Riptide retweeted the post and considered the reward low. According to him, if a network offers a reward of US$ 2 million, it has to be ready to pay it when the case arises: “Otherwise, just say the maximum is 400 ETH and that’s it. Hackers watch which projects pay and which don’t. In my opinion, it is not a good idea to encourage a white hat to become a black hat,” tweeted the white hat hacker. Also Read: IMF: Cryptocurrencies Need Coordinated ‘Global Regulatory Framework’ Also Read: Huobi Partners With Startup To Integrate Pix In Cryptocurrency Purchase In Brazil
