{"id":494751,"date":"2022-09-21T07:58:06","date_gmt":"2022-09-21T04:58:06","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/white-hat-finds-huge-vulnerability-in-eth-to-arbitrum-bridge-wen-max-bounty\/"},"modified":"2022-09-21T07:58:06","modified_gmt":"2022-09-21T04:58:06","slug":"white-hat-finds-huge-vulnerability-in-eth-to-arbitrum-bridge-wen-max-bounty","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/white-hat-finds-huge-vulnerability-in-eth-to-arbitrum-bridge-wen-max-bounty\/","title":{"rendered":"# White hat finds huge vulnerability in ETH to Arbitrum bridge: Wen max bounty?"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a367f2565d03\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a367f2565d03\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/white-hat-finds-huge-vulnerability-in-eth-to-arbitrum-bridge-wen-max-bounty\/#%E2%80%9D_White_hat_finds_huge_vulnerability_in_ETH_to_Arbitrum_bridge_Wen_max_bounty_%E2%80%9C\" >&#8221; White hat finds huge vulnerability in ETH to Arbitrum bridge: Wen max bounty? &#8220;<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_White_hat_finds_huge_vulnerability_in_ETH_to_Arbitrum_bridge_Wen_max_bounty_%E2%80%9C\"><\/span>&#8221; White hat finds huge vulnerability in ETH to Arbitrum bridge: Wen max bounty? &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p><img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMDkvNDBkYTgxZTYtYTMzNi00MTc5LThjZGItNGEwY2Y3NTcwOTgzLmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-6ebd806f>A self-described white hat hacker has uncovered a \u201cmulti-million dollar vulnerability\u201d in the bridge linking Ethereum and Arbitrum Nitro and received a 400 Ether (ETH) bounty for their find.<\/p>\n<p>Known as riptide on <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Twitter<\/a>, the hacker described the exploit as the use of an initializing function to set their own bridge address, which would hijack all incoming ETH deposits from those trying to bridge funds from Ethereum to Arbitrum Nitro.<\/p>\n<p>Riptide explained the exploit in a Medium <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/medium.com\/@0xriptide\/hackers-in-arbitrums-inbox-ca23272641a2\">post<\/a> on Sept. 20:<\/p>\n<blockquote><p>\u201cWe could either selectively target large ETH deposits to remain undetected for a longer period of time, siphon up every single deposit that comes through the bridge, or wait and just front-run the next massive ETH deposit.\u201d<\/p><\/blockquote>\n<p>The hack could have potentially netted tens or even hundreds of millions worth of ETH, as the largest deposit riptide recorded in the inbox was 168,000 ETH worth over $225 million, and typical deposits ranged from 1000 to 5000 ETH in a 24-hour period, worth between $1.34 to $6.7 million.<\/p>\n<p>Despite the earning potential from the ill-gotten gains, riptide was thankful that the \u201cextremely based Arbitrum team\u201d provided a 400 ETH bounty, worth over $536,500, however they added later on Twitter that such a find \u201cshould be eligible for a max bounty,\u201d which is <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/immunefi.com\/bounty\/arbitrum\/\">worth<\/a> $2 million.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">No big deal just bridging a cool $470mm through the same Inbox contract <\/p>\n<p>Definitely should be eligible for a max bounty<\/p>\n<p> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/w7S58QNQZu\">https:\/\/t.co\/w7S58QNQZu<\/a><\/p>\n<p>\u2014 riptide (@0xriptide) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/0xriptide\/status\/1572215767029977094?ref_src=twsrc%5Etfw\">September 20, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Neither Arbitrum nor its creator company OffChain Labs have publicly commented on the exploit, Cointelegraph contacted OffChain Labs for comment but did not immediately hear back.<\/p>\n<p><strong><em>Related: <\/em><\/strong><strong><em>ETHW confirms contract vulnerability exploit, dismisses replay attack claims<\/em><\/strong><\/p>\n<p>Arbitrum is a layer-2 Optimistic Rollup solution for Ethereum, clustering batches of transactions before submitting it to the Ethereum network in an effort to minimize network congestion and save on fees. Arbitrum Nitro launched on Aug. 31st, an upgrade aimed to simplify communication between Arbitrum and Ethereum as well as increasing its transaction throughput at lower fees. <\/p>\n<p>Similar style bridge hacks have been successful for exploiters this year, notably the $100 million stolen from the Horizon Bridge in June and the recent Nomad token bridge incident in August which saw $190 million drained by the original and \u201ccopycat\u201d hackers repeating the exploit.<\/p>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/white-hat-finds-huge-vulnerability-in-eth-to-arbitrum-bridge-wen-max-bounty\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; White hat finds huge vulnerability in ETH to Arbitrum bridge: Wen max bounty? &#8220; A self-described white hat hacker has uncovered a \u201cmulti-million dollar vulnerability\u201d in the bridge linking Ethereum and Arbitrum Nitro and received a 400 Ether (ETH) bounty for their find. Known as riptide on Twitter, the hacker described the exploit as&#8230;<\/p>\n","protected":false},"author":1,"featured_media":494752,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/images\/1200_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjItMDkvNDBkYTgxZTYtYTMzNi00MTc5LThjZGItNGEwY2Y3NTcwOTgzLmpwZw==.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[133065,74868,74882,95119,75434,70944],"class_list":["post-494751","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-arbitrum","tag-defi","tag-hacks","tag-layer2","tag-smart-contracts","tag-hackers"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/494751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=494751"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/494751\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/494752"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=494751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=494751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=494751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}