A "multi-million dollar vulnerability" in the bridge connecting Ethereum and Arbitrum Nitro has been discovered by a self-described white hat hacker, who has been rewarded with 400 Ether (ETH) for their discovery.
The hacker, who goes by the handle riptide on Twitter, explained the issue as using an initializing function to set their own bridge address, which would steal all incoming ETH deposits from people seeking to bridge funds from Ethereum to Arbitrum Nitro.
On September 20, Riptide described the vulnerability in a Medium post:
"We could wait and just front-run the next major ETH deposit, or we could strategically target large ETH deposits to remain undiscovered for a longer period of time, siphon up every deposit that comes via the bridge, or both."
Since the largest deposit riptide recorded in the inbox was 168,000 ETH worth over $225 million and typical deposits ranged from 1000 to 5000 ETH in a 24-hour period, worth between $1.34 and $6.7 million, the hack may have resulted in the theft of tens or even hundreds of millions of dollars' worth of ETH.
Riptide was appreciative to the "very based Arbitrum team" for offering a 400 ETH prize, worth over $536,500, despite the possibility of gaining money from the unjust gains. However, they later stated on Twitter that such a find "should be eligible for a max payout," which is worth $2 million.
No big deal just bridging a cool $470mm through the same Inbox contract 👀— riptide (@0xriptide) September 20, 2022
Definitely should be eligible for a max bounty
Cointelegraph approached OffChain Labs for comment, but did not immediately receive a response. Neither Arbitrum nor the business that created it, OffChain Labs, have made any public statements regarding the exploit.
In an effort to reduce network congestion and cut costs, Arbitrum is a layer-2 Optimistic Rollup solution for the Ethereum network. It clusters batches of transactions before sending them to the Ethereum network. On August 31st, Arbitrum Nitro went live. This update aims to make communication between Arbitrum and Ethereum easier while also speeding up transactions at cheaper costs.
Theft of $100 million from the Horizon Bridge in June and the current Nomad token bridge event in August, which saw $190 million drained by the original and "copycat" hackers replicating the vulnerability, are two examples of similar style bridge hacks that have been successful for exploiters this year.