- Arbitrum paid 400 ETH via ImmuneFi to white hat hacker
- Arbitrum bridge bug was caused by bad initializers in the contract code
Another cryptocurrency vulnerability has been uncovered by a so-called white hat hacker, who found an exploitable bug in the bridge between Ethereum and Arbitrum Nitro.
The hacker, known as riptide on Twitter, outlined their discovery, which comes on the heels of an escalating series of hacks in the bridges that connect different blockchains, which collectively have been drained of hundreds of millions of dollars of predominantly user funds this year.
Arbitrum, the layer-2 Ethereum scaling solution, paid riptide a bounty of 400 ether (ETH) as a reward via the bug bounty platform ImmuneFi.
The multi-million dollar vulnerability, as riptide called it, would have allowed an attacker to steal all incoming ether deposits from users attempting to bridge their assets between Ethereum layer-1 and layer-2 protocols to Arbitrum.
The initialization-related vulnerability, according to the white hat hacker, would have enabled any nefarious actor to impersonate a user and send the authentication message to the “sequencerInbox” function to execute the vulnerability.
The largest deposit recorded on the inbox contract was 168,000 ETH, around $250 million, with average deposits ranging from 1,000 to 5,000 ETH in a 24-hour period, riptide said.
Another Twitter user, smartcontracts.eth, commented that “rollups are still heavily in development,” cautioning his followers to be careful on layer-2 protocols. A layer-2 refers to a mechanism built on top of a blockchain’s core layer, typically to increase scalability or speed, plus introduce additional features.
A similar bug was seen in the token bridge Nomad’s smart contract, which cost the protocol $190 million in cryptocurrency in the third-biggest cryptocurrency hack of the year.
Additionally, Arbitrum plans to integrate with NFT marketplace OpenSea on Wednesday.
A slew of NFT collections built on Arbitrum will be available to buy and sell directly on OpenSea.
OpenSea tweeted that creators would need to find their collections and set their creator fees directly.
The marketplace recently added the royalties percentages front-and-center on a collection’s page.