A so-called “white hat” hacker discovered a huge flaw in the cross chain bridge between Ethereum (ETH) and Arbitrum. Through this bridge, users can send ETH to Arbitrum, a layer-2 scaling network for Ethereum.
The “ethical” hacker, dubbed “Riptide,” found a way to take the bridge’s address. Unconscious users would then send their ETH not to Arbitrum, but to the hacker’s address.
Riptide reports that the vulnerability was overlooked when Arbitrum pushed for cheaper trades. The hacker says the vulnerability could be fixed with a single line of code.
The vulnerability could have resulted in a huge loss. The largest deposit was a whopping 168,000 ETH, currently worth around $220 million. Deposits are made regularly and Riptide reports that the total amount could have reached as much as $470 million.
No big deal just bridging a cool $470mm through the same Inbox contract 👀
Definitely should be eligible for a max bounty
— riptide (@0xriptide) September 20, 2022
Hacker receives reward, but is not happy
For his efforts, the hacker received a reward of 400 ETH, worth about $520,000. At first, Riptide was grateful, but later the hacker says Arbitrum should have handed over the maximum reward of $2 million.
Riptide may also have had the option to steal the total amount and ask for a 10% reward of $47 million: “The white hat dilemma,” the hacker calls it. That could have been done all at once, or in small increments so as not to be noticed, Riptide claims.
Yesterday, Crypto Insiders reported on a hacker who stole $160 million from DeFi platform Wintermute. The founder still hopes that it is a white hat hacker and indeed offers him 10% of the stolen amount if he returns the rest.
Cross-chain bridges have been targeted more often this year. Over the summer, $200 million was stolen from Nomad. According to Chainalysis, hackers have already stolen at least $2 billion this year with these types of “bridge hacks.”
