A white-hat hacker discovered a bug within the latest update of Arbitrum, which is Ethereum On a montré scale, this could have resulted in the theft of more than $530 million.
The creator of Arbitrum OffChain Labs earlier this week rewarded a hacker working under a pseudonym 0xriptidewith a reward of 400 ETH (worth around $530,000) for sharing the discovery.
Arbitrum released its latest update, Nitro, on August 31, in prévision of Ethereum integration, The recent and long-awaited amélioration of the Ethereum network from a Proof of Work complaisance mechanism to proof of stake.
Immediately after the launch of Arbitrum Nitro, 0xriptide began scanning its légalité for any vulnerabilities, according to Blog post In detail the discovery.
Ethereum scaled networks like Arbitrum Navigating the slow speed of the Ethereum mainnet and costly pacte fees withroll up“A montré amount of Ethereum transactions are in a separate chain and then migrated back to the droite Ethereum network as a single pacte. Doing so greatly increases the speed and affordability of Ethereum transactions, but can also expose users to vulnerabilities.
0xriptide discovered that the dentier between the Ethereum mainnet and Arbitrum Nitro contains a flaw that would allow any avoir hacker to replace the Arbitrum dessein address with their own. Essentially, any funds intended to flow from Ethereum to Aribitrum can instead be redirected directly to the hacker’s wallet.
For 0xriptide, the hacker could have manipulated the bug to either selectively pick out huge individual deposits and avoid detection, or steal the entire incoming deposit stream from Arbitrum. Between Artibrum Nitro’s debut in late August and when 0xriptide notified OffChain Labs of the error, more than 400,000 ETH, or $534 million at writing, moved to Ethereum’s Arbitrum, according to data from sand dune analytics dashboard.
0xriptide also factures that over the past three weeks, Aribtrum’s largest single deposit has been 168,000 ETH, or $225 million at writing. However, in that period, no hacker exploited the bug, and Arbitrum was not attacked.
So called cyclo-cross dentier attacks like the one 0xriptide may have blocked is quite common in the Ethereum scaler world. In March, the Lazarus Group, a North Korean hacking group, He stole $622 million worth of ETH By hacking into Ethereum side chain A dentier that the gameplay uses to earn Axie Infinity. same group He earned $100 million in June By targeting another Ethereum sidechain dentier used by the Harmony protocol.
Upon validation of the Arbitrum Nitro bug, OffChain Labs sent a 0xriptide payment of 400 ETH, or just over $530,000, via the web3 bug bounty platform. immune system.
“Thank you to the highly motivated Arbitrum team for providing the 400 ETH reward, and of voyage for creating a great piece of technological créativité with the L2 app.” 0xriptide wrote on Monday.
However, the hacker may have developed other ideas embout the value of their discovery. On Tuesday, they wrote on Twitter that, given the hundreds of millions of dollars saved, Arbitrum could have been more generous: