One of the strengths of blockchains is undoubtedly security. When this is compromised, nothing goes. So when a bounty hunter announces a possible flaw in the system, Arbitrum does not hesitate to see what it is and to reward whoever discovered it.
Threat annihilated between Ethereum (ETH) and Arbitrum Nitro
As the crypto industry grows, it is important to emphasize network security to protect investors. At the end of August, Ethereum’s most popular layer 2 announced that it was getting a facelift with the rollout of Arbitrum Nitro.
Since the transition to Proof-of-Stake (PoS) does not involve the reduction of gas fees, layer 2s are forced to continue to thrive to help ETH offload part of its network. Until then, Nitro, the Arbitrum solution works quite well but some technical flaws are very quickly felt.
According to details that surfaced on Tuesday morning, Arbitrum paid a bug bounty of ETH 400 ($520,000) to the Solidity bounty hunter known by the alias Oxriptide. The latter discovered a vulnerability that could have compromised more than 250 million dollars. According to Oxriptide, this flaw could have affected any user who tried to transfer funds from Ethereum to Arbitrum Nitro.
An advantageous exploit for layer 2
Oxriptide began its initial research a few weeks before the Arbitrum Nitro upgrade. His daily routine involves browsing ImmuneFi, a bug bounty platform that has prevented over $20 billion in hacks. But its main purpose has changed slightly lately. As he stated in a reporthe recently started working on preventing cross-chain exploits.
According to him, they pose a much larger amount of funds at risk because of the honeypot structure of most protocols. Thus, during his investigation, he detected a flaw in which the bridge contract could accept deposits even if the contract had been reset before. He claims that when you come across an uninitialized address variable in Solidity, you have to think about it a few times because you never know the real reason why it is that way.
So after further research into the uninitialized address, he discovered that by mimicking the actual contract, a hacker could set his own address as the bridge and steal all incoming ETH deposits from Ethereum to Arbitrum Nitro. The hacker could then either launch a guerrilla-style attack to siphon off all incoming funds or target larger ETH deposits to hide their actions.
Arbitrum pays a bug bounty of 400 ETH for detecting a bridge vulnerability. But this is nothing compared to what layer 2 would have lost if Oxriptide had not alerted it. Indeed, he could have lost between 1,000 and 5,000 ETH over a 24-hour period where the hacker would have used the flaw.
Receive a digest of news in the world of cryptocurrencies by subscribing to our new service ofdaily and weekly so you don’t miss any of the essential Tremplin.io!