Because of the flaw, attackers could have taken all of the ether that was put into Arbitrum Nitro.
In their rush to find a way to lower transaction costs on the Ethereum blockchain, the developers of the scaling tool Arbitrum missed a change in the latest version that would have let attackers steal all funds sent to the network.
Arbitrum gave the hacker who found the flaw about 400 ether, which is worth about $53,000.
The threat was found in the way transactions are sent to the network and processed. This is done with the help of a tool called a bridge, which lets users move tokens between different blockchains. One of the biggest security risks in crypto is now attacks on bridges, which have led to almost $1 billion being stolen in the past year.
The white-hat hacker, who goes by the name 0xriptide, said in a post on Tuesday that the flaw would affect anyone who tried to move funds from Ethereum to Arbitrum Nitro, the latest version of Arbitrum.
0xriptide found that all transactions that came in through the bridge were sent as a message to the Delayed Inbox of the Arbitrum blockchain. This ran a check to see if the contracts behind those transactions were either in the process of being completed or had already been completed.
0xriptide found that slots that were supposed to hold data were empty because a Nitro function that was supposed to check the transactions changed the data on its own. That would have let a bad guy change the bridge’s smart contract, which is open-source software and can be changed by anyone, to use their own address as a receiver address.
With just one line of code, no one would have been able to change the important contract. It was taken away, though, to make transactions cheaper, and the security hole it opened up wasn’t noticed, 0xriptide said.
“The biggest deposit recorded on the inbox contract was 168,000 ETH, which is about $250 million.” The average amount of money deposited in a 24-hour period is between 1,000 and 5,000 ETH. This means that the weakness could have led to the theft of hundreds of millions of dollars.
