JAKARTA - Arbitrum, a Layer 2 solution for the Ethereum network, was reportedly involved with a white hat hacker known as Riptide on Twitter. The hacker managed to find a bug in the Arbitrum code. Due to the findings, Arbitrum rewarded Riptide with 400 Ethereum (ETH) which is worth around 560,000 US dollars (equivalent to IDR 8.4 billion).

On September 19, Arbitrum paid 400 ETH to hackers who discovered a potential vulnerability in its code. Riptide managed to find vulnerabilities in smart contracts written in Solidity Arbitrum. The hacker stated that the multimillion-dollar vulnerability could potentially allow users to exchange or swap funds from Ethereum to Arbitrum Nitro.

Hackers scanned Arbitrum Nitro's code thoroughly weeks before it was released, checking contracts so they could "see if the update was successful."

After the upgrade, Riptide noticed some errors that prevented the linker or bridge from working properly. Upon further inspection, Riptide noticed that the sequencer's inbox sequencer had been delayed.

“A client can send messages to the Sequencer by signing and issuing L1 transactions in the Delayed Inbox of the Arbitrum network. This functionality is most often used to deposit ETH or tokens via bridges", Riptide said in a tweet.

After performing a re-scan, Riptide revealed that the findings of the bug could potentially expose the network to severe vulnerabilities. If this is detected by a malicious hacker then he can earn millions of dollars by diverting incoming ETH deposits from L1 to L2 bridges to their wallets undetected.

“My bounty bug writing about a critical vulnerability I discovered in Arbitrum Nitro that allows attackers to steal all ETH deposits that go into L1->L2 bridges", Riptide wrote in a Twitter post, on September 20, 2022.

Even so, Riptide is a good-class hacker commonly known as a white hat. He reported the vulnerability to Arbitrum and applied for a bounty instead. However, Arbitrum surprisingly gave a reward of 400 ETH, not the 2 million US dollar prize that Arbitrum offered as its highest prize. After receiving the reward, Riptide argued that it was not in line with the importance of the bug and the risks it entailed.

“My point is if you post a $2 million bounty – be prepared to pay it if it is justified. If not, just say the max bounty is 400 ETH and work it out. Hackers see which projects are paying and which are not. I don't think it's a good idea to incentivize whitehats to become blackhats", Riptide said in a Twitter post.

Unlike white hat hackers who have good motives, black hat hackers are hackers who trick computer systems with evil motives. According to Riptide's statement, the pay for him was not worth it because the company announced it would award a $2 million prize.


The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)