Arbitrum’s vulnerability and bounty were revealed this morning. The fixed exploit had the potential to compromise more than $250 million.
The vulnerability was found by “0xriptide,” a pseudonymous solidity bounty hunter. According to 0xriptide, it might have harmed any user who attempted to bridge funds from Ethereum to Arbitrum Nitro.
Arbitrum has compensated 0xriptide with 400 ETH (about $520,000) for reporting the issue.
0xriptide’s typical day consists of scouring ImmuneFi, a bug bounty program that has stopped more than $20 billion in hacks. According to the study, his primary focus recently has been on preventing cross-chain exploits, which put a far higher amount of assets in danger due to the “honeypot” structure of most bridge protocols.
His search for the Arbitrum exploit began a few weeks ago, in anticipation of the Arbitrum Nitro upgrade. During his initial examination, he discovered a vulnerability in which the bridging contract might take deposits even though it had previously been initialized.
According to 0xriptide,
“When you stumble upon an uninitialized address variable in Solidity — you should always take a moment to pause and investigate further because you never know if it was purposefully left uninitialized or by accident.”
The bridge exploitation
0xriptide discovered that a hacker may put their own address as the bridge, impersonating the genuine contract, and stealing any incoming ETH deposits from Ethereum to Arbitrum Nitro by digging into the uninitialized address.
The hacker could have chosen to target larger ETH deposits in order to conceal their activity or to launch a guerrilla-style attack and siphon off all the cash coming in.
During the time when the exploit was possible, the largest deposit was around 168,000 ETH, or $250 million. The average deposit in any 24-hour period during which the vulnerability may have been abused ranged between 1,000 and 5,000 ETH.