Details emerged this morning of a vulnerability and bounty paid by Arbitrum. The patched exploit could have compromised more than $250 million.
The vulnerability was discovered by pseudonymous solidity bounty hunter “0xriptide.” It could have affected any user who attempted to bridge funds from Ethereum to Arbitrum Nitro, 0xriptide said.
Arbitrum has paid 0xriptide 400 ETH (about $520,000) as compensation for alerting it to the vulnerability.
0xriptide’s day-to-day is comprised of scouring ImmuneFi, a bug bounty platform that has prevented hacks of more than $20 billion. His primary focus lately has been centered on preventing cross-chain exploits, as they pose a sizably larger amount of funds at risk due to the “honeypot” structure of most bridge protocols, he said in the report.
His initial search for the Arbitrum exploit began a few weeks ago ahead of the Arbitrum Nitro upgrade. Upon his initial investigation, he found a vulnerability where the bridging contract was able to accept deposits, even though the contract was initialized previously.
“When you stumble upon an uninitialized address variable in Solidity — you should always take a moment to pause and investigate further because you never know if it was purposefully left uninitialized or by accident.”
The bridge exploit
After digging into the uninitialized address, 0xriptide found that a hacker would be able to set their own address as the bridge, mimicking the actual contract, and steal all the incoming ETH deposits from Etheruem to Arbitrum Nitro.
The hacker would have had the flexibility of either targeting larger ETH deposits in order to obscure the their actions, or begin a guerrilla-type of attack and siphon all the funds coming in.
The largest deposit during the period when the exploit could have occurred was roughly 168,000 ETH, or $250 million. The average deposits in any 24-hour time period when the vulnerability could have been exploited was anywhere from 1,000 to 5,000 ETH.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.