A white hat hacker has discovered a bug within the latest upgrade for Arbitrum, an Ethereum scaling network, that could have led to the theft of over $530 million.
Arbitrum builder OffChain Labs earlier this week rewarded the hacker, who operates under the pseudonym 0xriptide, with a bounty of 400 ETH (worth approximately $530,000) for sharing the discovery.
Arbitrum launched its latest upgrade, Nitro, on August 31, in anticipation of the Ethereum merge, the Ethereum network’s recent and much-anticipated transition from a proof-of-work consensus mechanism to proof of stake.
Immediately following the launch of Arbitrum Nitro, 0xriptide began scouring its code in search of any vulnerabilities, according to a blog post detailing the discovery.
Ethereum scaling networks like Arbitrum navigate the Ethereum mainnet’s slow speed and costly transaction fees by “rolling up” a large quantity of Ethereum transactions on a separate chain and then relaying them back to the Ethereum mainnet as a single transaction. Doing so increases the speed and affordability of Ethereum transactions substantially, but it can also expose users to vulnerabilities.
0xriptide discovered that the bridge between the Ethereum mainnet and Arbitrum Nitro contained a flaw that would allow any industrious hacker to replace Arbitrum’s destination address with their own. Essentially, any funds meant to flow from Ethereum into Aribitrum could instead be redirected straight into a hacker’s wallet.
Per 0xriptide, a hacker could have manipulated the bug to either selectively pick off massive individual deposits and avoid detection, or siphoned off Arbitrum’s entire incoming deposit flow. In the period between Artibrum Nitro’s debut in late August and when 0xriptide notified OffChain Labs of the bug, over 400,000 ETH, or $534 million at writing, moved into Arbitrum from Ethereum, according to data from a Dune Analytics dashboard.
0xriptide also noted that within the last three weeks, the largest single deposit to Aribtrum amounted to 168,000 ETH, or $225 million at writing. In that period, however, no hacker exploited the bug, and Arbitrum suffered no attacks.
So-called cross-chain bridge attacks like the one 0xriptide may have prevented are all-too common in the world of Ethereum scalers. In March, Lazarus Group, a North Korea-affiliated hacking group, stole $622 million worth of ETH by infiltrating an Ethereum sidechain bridge used by play-to-earn game Axie Infinity. That same group made away with $100 million in June by targeting another Ethereum sidechain bridge utilized by Harmony Protocol.
Upon confirmation of the flaw in Arbitrum Nitro, OffChain Labs sent 0xriptide a payment of 400 ETH, or just over $530,000, via web3 bug bounty platform ImmuneFi.
“Thank you to the extremely based Arbitrum team for providing a 400 ETH bounty, and of course for creating an incredible piece of technological innovation with their L2 implementation,” 0xriptide wrote on Monday.
The hacker may have developed second thoughts about the value of their discovery, however. On Tuesday, they tweeted that, given the hundreds of millions of dollars saved, Arbitrum could have been more generous:
No big deal just bridging a cool $470mm through the same Inbox contract 👀
Definitely should be eligible for a max bounty
— riptide (@0xriptide) September 20, 2022