White hat hacker grumbles over Arbitrum bounty reward after saving network from $475M loss
Riptide, the white hat hacker who discovered the Arbitrum vulnerability, tweeted that his discovery is now eligible for a bounty of up to $2 million, instead of the 400 ETH ($53,000) he earned.
Not much if you’re just bridging $470 million through the same Inbox deal 👀
You should definitely be eligible for the max bounty
— Riptide (@0xriptide) September 20, 2022
Ethereum scaling tool Arbitrum averted a multi-million dollar hack after hackers discovered a vulnerability in the bridge that connects the layer 2 network to ETH’s mainnet. This vulnerability affected how transactions were sent and processed on the network, allowing malicious players to steal all funds sent to the layer 2 network.
Vulnerability
according to For white hat hackers, transactions coming into Arbitrum through the bridge can be hijacked by malicious players who can set their address as the recipient address.
Riptide said that if hackers targeted only large ETH deposits, or may have front-runned the next major ETH deposit, such exploits could have gone undetected for a long time. continued.
Given that the largest inbox contract deposit in the last 24 hours was 168,000 ETH ($250 million), exploiting this vulnerability could lead to hundreds of millions of dollars in losses.
bounty reward
While Riptide initially praised Arbitrum for its 400 ETH reward, the white hat hacker later tweeted that his work was worth up to a $2 million bounty.
torrent Said:
“What I mean is if you give us a $2 million bounty, be prepared to pay it when it is justified. Hackers will watch which projects are profitable and which are not. IMO motivating white hats to become black hats is not a good idea.”
Riptide’s new comments come after a Twitter user indicated that the bridge was recently used to transfer more than $400 million.
I’m doing this again because my other quote tweet was censored by Twitter. The Arbitrum bridge bug is serious bridge bug #3 caused by improper initializers, just in case you need another reason to get rid of initializers. Surprised Arbitrum only paid out 400 ETH, not the biggest win given the following deposits: https://t.co/Lx32UVjDtF pic.twitter.com/cmSx1HMI1k
— smartcontracts.eth (✨🔴_🔴✨) (@kelvinfichter) September 20, 2022
Bridge exploits, on the other hand, are one of the biggest security concerns in the cryptocurrency industry today. Attacks on bridges have resulted in losses of about $1 billion in the past year alone.