254
Views
0 CommentsA white hat hacker has discovered a bug within the latest upgrade for Arbitrum, an Ethereum scaling network, that could have led to the theft of over $530 million. A bug in the latest upgrade for Arbitrum had been live for almost three weeks but had not yet been exploited.
Arbitrum builder OffChain Labs earlier this week rewarded the hacker, who operates under the pseudonym 0xriptide, with a bounty of 400 ETH (worth approximately $530,000) for sharing the discovery.
The vulnerability was discovered by pseudonymous solidity bounty hunter “0xriptide.” It could have affected any user who attempted to bridge funds from Ethereum to Arbitrum Nitro, 0xriptide said.
0xriptide’s day-to-day is comprised of scouring ImmuneFi, a bug bounty platform that has prevented hacks of more than $20 billion. His primary focus lately has been centered on preventing cross-chain exploits, as they pose a sizably larger amount of funds at risk due to the “honeypot” structure of most bridge protocols, he said in the report.
His initial search for the Arbitrum exploit began a few weeks ago ahead of the Arbitrum Nitro upgrade. Upon his initial investigation, he found a vulnerability where the bridging contract was able to accept deposits, even though the contract was initialized previously.
0xriptide also noted that within the last three weeks, the largest single deposit to Aribtrum amounted to 168,000 ETH, or $225 million. In that period, however, no hacker exploited the bug, and Arbitrum suffered no attacks.
Cross-chain bridge attacks like the one 0xriptide may have prevented are all-too-common in the world of Ethereum scalers. In March, Lazarus Group, a North Korea-affiliated hacking group, stole $625 million worth of ETH by infiltrating an Ethereum sidechain bridge used by the play-to-earn game Axie Infinity. That same group made away with $100 million in June by targeting another Ethereum sidechain bridge utilized by Harmony Protocol.
The crypto space has faced several white hat hacking. Such hacks on different platforms are linked with discovering potential vulnerabilities in the network’s smart contracts or the code.
An employee of Orchid, DeFi VPN protocol, Jay ‘Saurik’ Freeman, reported a vulnerability in Optimism, an Ethereum L2 scalability solution. As a result, the protocol rewarded Freeman with $2 million.
Also, Coinbase parted with $250,000 to a hacker known as ‘Tree of Alpha’ in the middle of February. The hacker discovered a lapse in the ‘Advanced Trading’ feature of the crypto exchange and saved about a billion-dollar loss. Coinbase reported that the payment is the enormous bounty in its history.
