Hacker Rewarded 400ETH For Saving $470M Hack

Arbitrum offers 400 ETH reward to prevent $470M hack

On September 19th, Arbitrum, one of Ethereum's most popular layer 2 solutions, paid 400 ETH to a white hat hacker for discovering a potential vulnerability in their code.

A white hat hacker known as Riptide on Twitter, discovered a vulnerability in smart contracts written in Solidity.

Riptide said the “multi-million-dollar vulnerability” could affect anyone looking to swap funds from Ethereum to Arbitrum Nitro.

[{"selector":"#anim-ad1185c6-3f39-4ad8-98ad-0f75ba4cb3dc","keyframes":[{"offset":0,"transform":"translate3d(0, -486.29366%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.29,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.45,"transform":"translate3d(0, -136.745777192%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.61,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.71,"transform":"translate3d(0, -46.489673896%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.8,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.85,"transform":"translate3d(0, -17.457942394%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.92,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.96,"transform":"translate3d(0, -7.586181096%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":1,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"}],"delay":0,"duration":1600,"fill":"both"}] [{"selector":"#anim-3403f7fc-a89d-4ec1-b50c-baa49c8f830c","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}]

Weeks before the Arbitrum Nitro code release, hacker thoroughly scanned it and checked contracts to "see if the update was successful."

[{"selector":"#anim-76247b3a-1a0a-4af4-8d09-ab3cbb08bbfc","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-950bd712-faaf-4cb0-9894-44f6ca007bdb","keyframes":{"opacity":[0,1]},"delay":0,"duration":1500,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}]

Riptide has noticed some bugs that prevent the bridge from working properly. Upon further investigation, Riptide found that his sequencer was lagging in his inbox.

[{"selector":"#anim-661a7eaf-68f4-466f-815f-c9a92a90ceef","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-f2632e78-2a38-4df0-9f08-bdba0bd81493","keyframes":{"opacity":[0,1]},"delay":0,"duration":1500,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}]

After rescanning the contract, Riptide found a bug in the inbox sequencer that allowed Riptide or another malicious hacker to detect ETH deposits coming into the wallet via the L1 to L2 bridge.

[{"selector":"#anim-0a01241d-d64a-40bf-af29-a55d1c5e9202","keyframes":{"transform":["translate3d(-115.73771%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-27d0d60e-4517-4218-8c1b-d7e15721f8e0","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d4fccbfb-d420-45c3-869e-c1d8f6df374a","keyframes":{"transform":["scale(0.15)","scale(1)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"forwards"}] [{"selector":"#anim-d4da700d-c608-448c-9d09-5124602208cb","keyframes":[{"offset":0,"transform":"translate3d(0, -300.10099%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.29,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.45,"transform":"translate3d(0, -84.38839838800001%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.61,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.71,"transform":"translate3d(0, -28.689654644000004%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.8,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.85,"transform":"translate3d(0, -10.773625541000001%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":0.92,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"},{"offset":0.96,"transform":"translate3d(0, -4.681575444%, 0)","easing":"cubic-bezier(.5, 0, 1, 1)"},{"offset":1,"transform":"translate3d(0, 0%, 0)","easing":"cubic-bezier(0, 0, .5, 1)"}],"delay":0,"duration":1600,"fill":"both"}]

In March 2022, Arbitrum became a victim as a group of hackers stole more than 100 NFTs worth at least $1.4 million from TreasureDAO.

[{"selector":"#anim-342447fa-6b9f-43fd-9dab-4b160a7f64b9","keyframes":{"transform":["translate3d(104.28955%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-32a861c7-9539-4330-a570-ce6d5acae471","keyframes":{"opacity":[0,1]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"both"}] [{"selector":"#anim-53c32077-6c6e-42f8-b349-583ab6ef11b6","keyframes":{"transform":["scale(0.15)","scale(1)"]},"delay":0,"duration":600,"easing":"cubic-bezier(0.4, 0.4, 0.0, 1)","fill":"forwards"}] [{"selector":"#anim-644fdac0-efc8-4511-bd6f-99b9b1690d78","keyframes":{"transform":["translate3d(315.78952%, 0px, 0)","translate3d(0px, 0px, 0)"]},"delay":0,"duration":1000,"easing":"cubic-bezier(.2, 0, .8, 1)","fill":"both"}] [{"selector":"#anim-97313ec0-2946-4808-b272-80b1478b381e","keyframes":{"transform":["rotateZ(180deg)","rotateZ(0deg)"]},"delay":0,"duration":1000,"easing":"cubic-bezier(.2, 0, .5, 1)","fill":"forwards"}] Read More