- Arbitrum paid 400 ETH via ImmuneFi to white hat hacker
- Arbitrum bridge bug was caused by bad initializers in the contract code
Another cryptocurrency vulnerability has been uncovered by a so-called white hat hacker, who found an exploitable bug in the bridge between Ethereum and Arbitrum Nitro.
The hacker, known as riptide on Twitter, outlined their discovery, which comes on the heels of an escalating series of hacks in the bridges that connect different blockchains, which collectively have been drained of hundreds of millions of dollars of predominantly user funds this year.
Arbitrum, the layer‑2 Ethereum scaling solution, paid riptide a bounty of 400 ether (ETH) as a reward via the bug bounty platform ImmuneFi.
The multi-million dollar vulnerability, as riptide called it, would have allowed an attacker to steal all incoming ether deposits from users attempting to bridge their assets between Ethereum layer‑1 and layer‑2 protocols to Arbitrum.
The initialization-related vulnerability, according to the white hat hacker, would have enabled any nefarious actor to impersonate a user and send the authentication message to the “sequencerInbox” function to execute the vulnerability.
The largest deposit recorded on the inbox contract was 168,000 ETH, around $250 million, with average deposits ranging from 1,000 to 5,000 ETH in a 24-hour period, riptide said.