A white hat hacker, who goes by the name ‘Riptide’, has discovered a draining bug in the latest upgrade for Arbitrum Nitro, an Ethereum scaling network that rolls up batches of transactions into one to save users time and costly fees.
The vulnerability could have been used to hijack all Ethereum deposits passing through the Ethereum-Arbitrum bridge, the largest of which was recorded to be worth 168,000 ETH, a little over $225 million.
His finding effectively saved hundreds of millions in bridged funds from being stolen. Riptide explained: “We could either selectively target large ETH deposits to remain undetected for a longer period of time, siphon up every single deposit that comes through the bridge, or wait and just front-run the next massive ETH deposit.”
Arbitrum builder OffChain Labs rewarded the hacker with a bounty of 400 ETH (worth approximately $536,500) for sharing his discovery.
Riptide, who estimates that typical deposits range from 1000 to 5000 ETH in a 24-hour period, worth between $1.34 to $6.7 million, thinks they were worthy of a bigger bounty. They expressed his frustrations on Twitter, saying they “should be eligible for a max bounty,” which is worth $2 million.
If you see something out of place or would like to contribute to this story, check out our Ethics and Policy section.