Posts

Arbitrum Lucky White Hat Hacker Saves Them

avatar of @chekohler
25
Cesc0410
@chekohler
·
·
0 views
·
3 min read

In today's edition of YIYL (You Invest, You Lose) we take a look at some of the inner workings of the L2 race and how the move fast and break things style of development works when it comes to issuing your own currency. When it comes to the development of a tech platform, it's okay to disregard security to try and scale, because people who breach it can only collect data, but in shitcoins, the data breach can be sold immediately on the market making it a lucrative pursuit to try and find faults in these systems.

Every time a system begins to hold any reasonable amount of value, eyes are on it, and eventually, an actor who thinks it's worth their time and that they can get away with it, will reach in and grab the pot. If you're relying on people being good actors to ensure your system works, you're only living on borrowed time.

In a recent case a white hat hacker was willing to give up a $470 million payday in exchange for helping Arbitrum patch an issue and receive 400 ETH (around $540K) in return, now can you see the issue with this? It would have paid for him to be a bad actor, while 500k is an amazing payday netting x100 is a lot sweeter.

A white knight

The white hat hacker, known on Twitter as Riptide, decided that it wasn't his plac to rek a bunch of people and used his time to help identify vulnerabilities within smart contracts written in Solidity. Riptide said the “multi-million dollar vulnerability” could potentially affect anyone who wanted to exchange funds from Ethereum to Arbitrum Nitro.

This work helped save a bunch of people after a recent upgrade, Riptide noticed some errors that prevented the bridge from working correctly. Upon further inspection, Riptide noticed that the inbox sequencer was experiencing a delay.

“A client can send a message to the Sequencer by signing and publishing an L1 transaction in the Arbitrum chain’s Delayed Inbox. This functionality is most commonly used for depositing ETH or tokens via a bridge.”

After rescanning the contract, Riptide confirmed that the inbox sequencer bug allowed a critical vulnerability in the contract by which Riptide or another malicious hacker could have obtained millions of dollars by diverting incoming ETH deposits from the L1 to the L2 bridge into their wallets before being detected.

https://twitter.com/kelvinfichter/status/1572197710928699393

Now ask yourself, if a multimillion-dollar project could be taken to the cleaners by a random Twitter anon, why would you trust it with any amount of value? It really is scary how much patch work is run in production and how much faith people have in these systems.

Arbitrum has a history of vulnerabilities

This is not the first time we've seen Abritrum showcase shoddy work, even this year in March 2022, Arbitrum was the victim of an exploit. Their code allowed an individual to access more than 100 NFTs from TreasureDAO, and waltz away with it to the tune of at least $1.4 million.

Now mind you that was back when NFTs had some value, while today, there are pretty much all but dried up except for a few noobs, scammers, and misinformed people trying to make their fortune trading jpegs.

Sources:

Have your say

What do you good people of HIVE think?

So have at it my Jessies! If you don't have something to comment, "I am a Jessie."

Let's connect

If you liked this post, sprinkle it with an upvote or esteem and if you don't already, consider following me @chekohler and subscribe to my fanbase

Earn Free bitcoin & shopEarn Free Bitcoin & shopClaim Free Bitcoin & Shop

Posted Using LeoFinance Beta