How much would you pay to prevent a $470 million hack? For Arbitrum, the answer is 400 ETH (around $540K).
On September 19, Arbitrum, one of the most popular Layer 2 solutions for Ethereum, paid 400 ETH (about $560,000) to a white hat hacker who found a potential vulnerability in its code.
The white hat hacker, known on Twitter as Riptide, finds vulnerabilities within smart contracts written in Solidity. Riptide said the “multi-million dollar vulnerability” could potentially affect anyone who wanted to exchange funds from Ethereum to Arbitrum Nitro.
Arbitrum Prevented Millions of Dollars in Losses
The hacker thoroughly scanned the Arbitrum Nitro code a few weeks before it was released, checking the contracts so they could “see if the update had been a success.”
After the upgrade, Riptide noticed some errors that prevented the bridge from working correctly. Upon further inspection, Riptide noticed that the inbox sequencer was experiencing a delay.
“A client can send a message to the Sequencer by signing and publishing an L1 transaction in the Arbitrum chain’s Delayed Inbox. This functionality is most commonly used for depositing ETH or tokens via a bridge.”
After rescanning the contract, Riptide confirmed that the inbox sequencer bug allowed a critical vulnerability in the contract by which Riptide or another malicious hacker could have obtained millions of dollars by diverting incoming ETH deposits from the L1 to the L2 bridge into their wallets before being detected.
However, Riptide decided to report the vulnerability and apply for a reward instead, which to their surprise, was just 400 ETH instead of the $2 million reward Arbitrum offered as its maximum tier. Upon receiving the reward, the hacker argued that it was not in line with the importance of the bug and the risk it entailed.
It is worth mentioning that in March 2022, Arbitrum was the victim of an exploit in which a hacker or a group of hackers stole more than 100 NFT from TreasureDAO, with a valuation of at least $1.4 million.
White Hat Hackers: A Lucrative Business in Crypto-Land
Independent auditing is of huge importance in the crypto ecosystem. Over the course of the year, several platforms have opted to pay bounties to white hat hackers who report potential vulnerabilities in their code or smart contracts.
For example, in mid-February, Coinbase paid “the largest bounty in its history” ($250,000) to a hacker named “Tree of Alpha” for saving them from a billion-dollar loss due to a flaw in the “Advanced Trading” feature.
At the time, Tree of Alpha was grateful for the payment stating that it could serve him well in retirement; however, like Riptide, he noted that “a higher bounty might have been smart to deter more gray hats from exploiting vulnerabilities.”
Also, Jay “Saurik” Freeman —who works with the decentralized VPN protocol Orchid and is a legend in the iOS jailbreak community—received over $2 million for reporting a vulnerability in Optimism, a “layer 2 scaling solution” for Ethereum.