Advertisement
On September 19, Arbitrum, one of the most popular layer 2 solutions for Ethereum, paid 400 ETH (about $560,000) to a white hat hacker who found a potential vulnerability in the network.
The white hat hacker, who became known on Twitter as Riptide, found vulnerabilities in smart contracts written in Solidity. Riptide said this multimillion-dollar vulnerability could affect anyone who wants to transfer money from Ethereum to Arbitrum Nitro.
No big deal just bridging a cool $470mm through the same Inbox contract 👀
Definitely should be eligible for a max bounty
— riptide (@0xriptide) September 20, 2022
Arbitrum promptly prevented millions of dollars in damages
Hackers scanned the Arbitrum Nitro code carefully weeks before it was released, checking contracts to see if the new update was successful. After the upgrade, Riptide noticed some bugs and prevented the bridge from working properly.
Upon closer inspection, Riptide noticed that the inbox sorter was experiencing latency issues.
“Customers can send messages to the Sequencer by signing and issuing L1 transactions in the Arbitrum Chain Delayed Inbox. This function is commonly used in sending ETH or tokens via bridge. ”
After rescanning the contract, Riptide confirmed that a sequencing error in the inbox caused a serious flaw in the contract that Riptide or another malicious hacker could take advantage of and rake in millions of dollars by transferring ETH deposits coming from L1 to the L2 bridge into their wallets before being discovered.
My bug bounty write-up on a critical vulnerability I discovered on Arbitrum Nitro which allowed an attacker to steal all incoming ETH deposits to the L1->L2 bridge
https://t.co/WuR4RYUL3L@icodeblockchain @samiamka2 @Mudit__Gupta @0xRecruiter @BowTiedCrocodil @BowTiedDevil— riptide (@0xriptide) September 20, 2022
However, Riptide decided to report the vulnerability and sign up for the reward. Surprisingly, the reward was only 400 ETH instead of $2 million as suggested by this hacker. Upon receiving the reward, the hacker argued that it did not match the severity of the error and the risk it entailed.
My point is that if you post a $2mm bounty- be prepared to pay it when it’s justified. Otherwise just say the max bounty is 400 ETH and be done with it.
Hackers watch which projects pay out and which do not
IMO not a good idea to incentivize a whitehat to go blackhat
— riptide (@0xriptide) September 20, 2022
It is worth mentioning that in March 2022, Arbitrum was the victim of a exploit in which a hacker or a group of hackers stole more than 100 NFTs from TreasureDAO with a valuation of at least $1.4 million.
White Hat Hackers: A Job in Crypto-Land
Independent audits are of great importance in the cryptocurrency ecosystem. Throughout the past year, several platforms have decided to pay bonuses to white hat hackers who report potential vulnerabilities in their code or smart contracts.
For example, in mid-February, Coinbase paid “the largest bounty in history” ($250,000) to a hacker called “Tree of Alpha.” This person saved them from billions of dollars in losses due to a bug in the “Advanced Trading” feature.
At the time, the Tree of Alpha was grateful for the aforementioned bounty as it could serve him well in retirement. However, like Riptide, he noted that “higher bonuses can prevent many gray hats from exploiting security vulnerabilities.”
Additionally, Jay “Saurik” Freeman, who works with the Orchid decentralized VPN protocol and is a legend in the iOS jailbreak community, received more than $2 million for reporting a vulnerability in Optimism, a “layer 2 scaling solution” for Ethereum.
See also: Differences Between White Hat and Black Hat Hackers