Ethereum Classic

White hat hacker grumbles over Arbitrum bounty reward after saving network from $475M loss


Riptide, a white hat hacker that discovered a vulnerability on Arbitrum, tweeted that his find was eligible for the max bounty reward of $2 million instead of the 400 ETH ($53,000) reward he got.

Ethereum scaling tool Arbitrum escaped a multimillion-dollar hack after the hacker spotted a vulnerability in the bridge connecting the layer2 network to ETH’s mainnet. The vulnerability affected how transactions are submitted and processed on the network and would have allowed malicious players to steal all the funds sent to the layer2 network.

The vulnerability

According to the white hat hacker, incoming transactions to Arbitrum through the bridge could be hijacked by malicious players who could set their address as the recipient address.

Riptide continued that such an exploit could have gone undetected for a long time if the hacker targeted only large ETH deposits, or they could have just front-ran the next major ETH deposit.

Given that the largest deposit on the inbox contract in the last 24 hours was 168,000 ETH ($250 million), exploiting the vulnerability could have led to a loss of hundreds of millions.

Bounty reward

While Riptide initially praised Arbitrum for the 400 ETH reward, the white hat hacker later tweeted that his work deserved the maximum bounty of $2 million.

Riptide said:

“My point is that if you post a $2mm bounty — be prepared to pay it when it’s justified. Otherwise, just say the max bounty is 400 ETH and be done with it. Hackers watch which projects pay out and which do not. IMO not a good idea to incentivize a whitehat to go blackhat.”

Riptide’s new comments were made after a Twitter user showed that the bridge was recently used to transfer over $400 million.

Meanwhile, bridge exploits are one of the biggest security concerns in the crypto industry presently. Attacks on bridges have led to the loss of almost $1 billion in the past year alone.

Leave A Reply

Your email address will not be published.