Riptide, a white hat hacker that discovered a vulnerability on Arbitrum, tweeted that his find was eligible for the max bounty reward of $2 million instead of the 400 ETH ($53,000) reward he got.
No big deal just bridging a cool $470mm through the same Inbox contract ?
Definitely should be eligible for a max bounty
— riptide (@0xriptide) September 20, 2022
Ethereum scaling tool Arbitrum escaped a multimillion-dollar hack after the hacker spotted a vulnerability in the bridge connecting the layer2 network to ETH’s mainnet. The vulnerability affected how transactions are submitted and processed on the network and would have allowed malicious players to steal all the funds sent to the layer2 network.
According to the white hat hacker, incoming transactions to Arbitrum through the bridge could be hijacked by malicious players who could set their address as the recipient address.
Riptide continued that such an exploit could have gone undetected for a long time if the hacker targeted only large ETH deposits, or they could have just front-ran the next major ETH deposit.
Given that the largest deposit on the inbox contract in the last 24 hours was 168,000 ETH ($250 million), exploiting the vulnerability could have led to a loss of hundreds of millions.
While Riptide initially praised Arbitrum for the 400 ETH reward, the white hat hacker later tweeted that his work deserved the maximum bounty of $2 million.
“My point is that if you post a $2mm bounty — be prepared to pay it when it’s justified. Otherwise, just say the max bounty is 400 ETH and be done with it. Hackers watch which projects pay out and which do not. IMO not a good idea to incentivize a whitehat to go blackhat.”
Riptide’s new comments were made after a Twitter user showed that the bridge was recently used to transfer over $400 million.
Doing this again since my other quote tweet got censored by tweeter. Arbitrum bridge bug is critical bridge bug #3 caused by bad initializers, in case we needed another reason to get rid of initializers. Surprised Arbitrum only paid 400 ETH and not max bounty given deposits like: https://t.co/Lx32UVjDtF pic.twitter.com/cmSx1HMI1k
— smartcontracts.eth (✨?_?✨) (@kelvinfichter) September 20, 2022
Meanwhile, bridge exploits are one of the biggest security concerns in the crypto industry presently. Attacks on bridges have led to the loss of almost $1 billion in the past year alone.