Arbitrum Rewards Hacker With 400 ETH For Detecting a Critical $400M Vulnerability

On September 19, Arbitrum, one of the most popular Layer 2 solutions for Ethereum, paid 400 ETH (about $560,000) to a white hat hacker who found a potential vulnerability in its code.

The white hat hacker, known on Twitter as Riptide, finds vulnerabilities within smart contracts written in Solidity. Riptide said the “multi-million dollar vulnerability” could potentially affect anyone who wanted to exchange funds from Ethereum to Arbitrum Nitro.

No big deal just bridging a cool $470mm through the same Inbox contract 👀

Definitely should be eligible for a max bounty

🤯 https://t.co/w7S58QNQZu

— riptide (@0xriptide) September 20, 2022

Arbitrum Prevented Millions of Dollars in Losses

The hacker thoroughly scanned the Arbitrum Nitro code a few weeks before it was released, checking the contracts so they could “see if the update had been a success.”

After the upgrade, Riptide noticed some errors that prevented the bridge from working correctly. Upon further inspection, Riptide noticed that the inbox sequencer was experiencing a delay.

“A client can send a message to the Sequencer by signing and publishing an L1 transaction in the Arbitrum chain’s Delayed Inbox. This functionality is most commonly used for depositing ETH or tokens via a bridge.”

After rescanning the contract, Riptide confirmed that the inbox sequencer bug allowed a critical vulnerability in the contract by which Riptide or another malicious hacker could have obtained millions of dollars by diverting incoming ETH deposits from the L1 to the L2 bridge into their wallets before being detected.

My bug bounty write-up on a critical vulnerability I discovered on Arbitrum Nitro which allowed an attacker to steal all incoming ETH deposits to the L1->L2 bridgehttps://t.co/WuR4RYUL3L@icodeblockchain @samiamka2 @Mudit__Gupta @0xRecruiter @BowTiedCrocodil @BowTiedDevil

— riptide (@0xriptide) September 20, 2022

However, Riptide decided to report the vulnerability and apply for a reward instead, which to their surprise, was just 400 ETH instead of the $2 million reward Arbitrum offered as its maximum tier. Upon receiving the reward, the hacker argued that it was not in line with the importance of the bug and the risk it entailed.

My point is that if you post a $2mm bounty- be prepared to pay it when it’s justified. Otherwise just say the max bounty is 400 ETH and be done with it.

Hackers watch which projects pay out and which do not

IMO not a good idea to incentivize a whitehat to go blackhat

— riptide (@0xriptide) September 20, 2022

It is worth mentioning that in March 2022, Arbitrum was the victim of an exploit in which a hacker or a group of hackers stole more than 100 NFT from TreasureDAO, with a valuation of at least $1.4 million.

White Hat Hackers: A Lucrative Business in Crypto-Land

Independent auditing is of huge importance in the crypto ecosystem. Over the course of the year, several platforms have opted to pay bounties to white hat hackers who report potential vulnerabilities in their code or smart contracts.

For example, in mid-February, Coinbase paid “the largest bounty in its history” ($250,000) to a hacker named “Tree of Alpha” for saving them from a billion-dollar loss due to a flaw in the “Advanced Trading” feature.

At the time, Tree of Alpha was grateful for the payment stating that it could serve him well in retirement; however, like Riptide, he noted that “a higher bounty might have been smart to deter more gray hats from exploiting vulnerabilities.”

Also,  Jay “Saurik” Freeman —who works with the decentralized VPN protocol Orchid and is a legend in the iOS jailbreak community—received over $2 million for reporting a vulnerability in Optimism, a “layer 2 scaling solution” for Ethereum.