Without the vigilance of a white hat, the Arbitrum bridge connected to Ethereum (ETH) could also have suffered a major hack. Indeed, a flaw in the code could have allowed a malicious actor to divert all the funds passing through the application.
White hat avoids the worst at Arbitrum bridge
The white hat hacker, going by the pseudonym riptide discovered a major flaw in the bridge that allows communication between Ethereum (ETH) and Arbitrum. As a reward for his work, he received a bounty of 400 ETH, or just over $530,000 at the current price:
My bug bounty write-up on a critical vulnerability I discovered on Arbitrum Nitro which allowed an attacker to steal all incoming ETH deposits to the L1-☻L2 bridge
https://t. co/WuR4RYUL3L@icodeblockchain @samiamka2 @Mudit__Gupta @0xRecruiter @BowTiedCrocodil @BowTiedDevil– riptide (@0xriptide) September 20, 2022
If this flaw had been exploited by a careless person, it could have been catastrophic. Indeed, following an anomaly concerning a variable in the code, riptide explains that it was able to prototype a program allowing to divert all the ETH passing through the bridge.
To date, the largest deposit is 168,000 ETH, or over $220 million. On a daily basis, it is also common to see deposits of between 1,000 and 5,000 ETH.
A hacker could then have chosen to target certain strategic deposits, in order to gain over time, or simply divert all the funds. It is thus a catastrophe of scale that Arbitrum avoided, thanks to the vigilance of this white hat.
The strategic importance of bridges
By default, an asset can only exist on one blokchain. In order to move it from one network to another, it will be necessary to use a bridge. This technology allows cryptocurrencies to be locked into a smart contract, in order to create a synthetic version on the target chain.
To go the other way, these synthetic versions are then destroyed to release their underlying on the other chain. This means that if the deposit contract is emptied by a malicious actor, the bridged assets are worthless.
The fact that such applications lock up a large pool of money makes them prime targets for hackers. This has been demonstrated several times this year, through the attacks on Ronin, Wormhole, or more recently Harmony’s Horizon Bridge.
This is why the various Web3 applications offer bounty levels depending on the bugs found. This allows talents to use their knowledge to find flaws in smart contracts. These white hats thus contribute to strengthening the security of the ecosystem, by earning rewards through intermediaries such as Immunefi.
