The Bridge to Nowhere
Market Meditations | September 21, 2022
Even in a post-merge world, layer 2 scaling solutions like Arbitrum are still important to the evolution of Ethereum. However, even layer 2 blockchains need help scaling as we recently saw during the Arbitrum Odyssey. Arbitrum became so congested that the Odyssey was postponed until Arbitrum Nitro was released, but Arbitrum Nitro had a serious bug that could have been disastrous for Arbitrum and Ethereum. Thankfully, a code bounty hunter saved the day before an exploit could occur.
- Arbitrum paid out 400 Ethereum to a solidity code bounty hunter by the name of ‘Oxriptide‘ after he discovered a bridging vulnerability in the Nitro update.
- Anyone who used the bridge could have been affected, had the bug been found by someone with ill intent.
- Oxriptide began searching for bugs a few weeks ago and found a vulnerability where the bridging contract could accept deposits, even though the contract had already been initialized. According to the bounty hunter, “When you stumble upon an uninitialized address variable in Solidity-you should always take a moment to pause and investigate further b/c you never know if it was purposefully left uninitialized or by accident.“
- A hacker would have been able to replace the bridge address with their own personal address and steal all incoming ETH deposits (from Ethereum to Arbitrum Nitro).
- During the time that the exploit could have occurred, deposits ranged from 1000-5000 ETH in a 24-hour period, with the largest deposit being 168,000 ETH.
400 ETH pales in comparison to what this could have cost Arbitrum and Ethereum. An exploit like this could have forced users to a different blockchain ecosystem altogether. Although the vulnerability has been fixed, and bridging to Arbitrum should be safe now, there is always risk in this emerging market.