The white hat hacker thanked Arbitrum for the 400 ETH payout but said such an exploit should qualify for a maximum reward of nearly 1,500 ETH, or $2 million. A self-described white hat hacker discovered a “multi-million dollar vulnerability” in the bridge connecting Ethereum and Arbitrum Nitro and received a reward of 400 Ether for his discovery.
Known as “Riptide” on Twitter, the hacker described the exploit as using the initialization function to set up his own bridging address, which would hijack all incoming ETH deposits from those trying to transfer funds from Ethereum to Arbitrum Nitro.
Riptide explained the exploit in a Medium post on September 20:
“We could either selectively target large ETH deposits to remain undetected for a longer period of time, siphon up every single deposit that comes through the bridge, or wait and just front-run the next massive ETH deposit”.
The hack could have potentially done tens or even hundreds of millions of ETH in damage, as the largest deposit recorded by Riptide was 168,000 ETH worth over $225 million, and typical deposits ranged from 1,000 to 5,000 ETH over a period of 24 hours, worth between 1.34 and 6.7 million dollars.
Despite the potential to profit from ill-gotten gains, Riptide was grateful that the “extremely thorough Arbitrum team” secured the 400 ETH reward, valued at over $536,500, but later added on Twitter that such a discovery “should be eligible for the top reward ”, which is worth 2 million dollars.
Neither Arbitrum nor OffChain Labs have yet publicly commented on the exploit.
Arbitrum is a layer 2 Optimistic Rollup solution for Ethereum, it bundles a series of transactions before sending them to the Ethereum network in an effort to reduce network congestion and save on transaction fees.
Arbitrum Nitro was launched on August 31st, an upgrade that aims to simplify communication between Arbitrum and Ethereum, as well as increase its transaction throughput with lower fees. Bridge hacks in a similar style have been successful for hackers this year, notably the $100 million stolen from the Horizon bridge in June and the recent Nomad token bridge incident in August where original and copycat hackers repeated the $190 million exploit.