Arbitrum Rewards Hacker With 400 ETH For Detecting a Critical $400M Vulnerability
On September 19, Arbitrum, one of the most popular Layer 2 solutions for Ethereum, paid 400 ETH (about $560,000) to a white hat hacker who found a potential vulnerability in its code. The white hat hacker, known on Twitter as Riptide, finds vulnerabilities within smart contracts written in Solidity. Riptide said the “multi-million dollar vulnerability” could potentially affect anyone who wanted to exchange funds from Ethereum to Arbitrum Nitro. The hacker thoroughly scanned the Arbitrum Nitro code a few weeks before it was released, checking the contracts so they could “see if the update had been a success.” After the upgrade, Riptide noticed some errors that prevented the bridge from working correctly. Upon further inspection, Riptide noticed that the inbox sequencer was experiencing a delay. “A client can send a message to the Sequencer by signing and publishing an L1 transaction in the Arbitrum chain’s Delayed Inbox. This functionality is most commonly used for depositing ETH or tokens via a bridge.” After rescanning the contract, Riptide confirmed that the inbox sequencer bug allowed a critical vulnerability in the contract by which Riptide or another malicious hacker could have obtained millions of dollars by diverting incoming ETH deposits from the L1 to the L2 bridge into their wallets before being detected.