Skip to content Skip to sidebar Skip to footer


A white hat hacker discovered a bug in the latest Arbitrum update, a Ethereum network scaling, which could have resulted in the theft of over $530 million.

Arbitrum builder OffChain Labs earlier this week rewarded the hacker, who operates under the pseudonym 0xriptidewith a bounty of 400 ETH (worth around $530,000) for sharing the discovery.

Arbitrum launched its latest update, Nitro, on August 31 in anticipation of the Ethereum merges, the recent and highly anticipated transition of the Ethereum network from a proof-of-work consensus mechanism to proof of stake.

Immediately after launching Arbitrum Nitro, 0xriptide began scanning its code for vulnerabilities, according to a blog post detailing the discovery.

Ethereum scaling networks like Arbitration navigate the slow Ethereum mainnet and expensive transaction fees in “wrap“a large amount of Ethereum transactions on a separate chain and then relay them to the Ethereum mainnet in a single transaction. This greatly increases the speed and affordability of Ethereum transactions, but it can also expose users to vulnerabilities.

0xriptide discovered that the bridge between the Ethereum mainnet and Arbitrum Nitro contained a flaw that would allow any industrious hacker to replace Arbitrum’s destination address with their own. Essentially, all funds intended to flow from Ethereum to Aribitrum could instead be redirected directly into a hacker’s wallet.

By 0xriptide, a hacker could have manipulated the bug to selectively select massive individual repositories and avoid detection, or siphon Arbitrum’s entire inbound stream of repositories. In the period between Artibrum Nitro’s debut in late August and when 0xriptide notified OffChain Labs of the bug, over 400,000 ETH, or $534 million at the time of writing, moved to Arbitrum from Ethereum, according to data from a Dune analysis dashboard.

0xriptide also noted that over the past three weeks, the largest single deposit in Aribtrum was 168,000 ETH, or $225 million at the time of writing. During this period, however, no hackers exploited the bug and Arbitrum suffered no attack.

So-called cross-bridge attacks like the one 0xriptide could have prevented are all too common in the world of Ethereum scalers. In March, Lazarus Group, a North Korean-affiliated hacking group, stole $622 million worth of ETH by infiltrating an Ethereum side chain deck used by the play-to-earn game Axie Infinity. This same group scooped $100 million in June by targeting another Ethereum sidechain bridge used by Harmony Protocol.

After confirming the flaw in Arbitrum Nitro, OffChain Labs sent 0xriptide a payment of 400 ETH, or just over $530,000, through the web3 bug bounty platform ImmuneFi.

Thanks to the extremely grounded team at Arbitrum for providing a bounty of 400 ETH, and of course creating incredible technological innovation with their L2 implementation,” 0xriptide wrote on Monday.

However, the pirate may have developed doubts about the value of his discovery. On Tuesday, they tweeted that, given the hundreds of millions of dollars saved, Arbitrum could have been more generous:

Stay up to date with crypto news, get daily updates delivered to your inbox.





Source link

Leave a comment