The code bounty hunter Oxriptide was paid ETH400, roughly $520,000, for detecting a vulnerability in the Aribtrum layer-two solution.
The liable code was found in a bridge between Ethereum and the newly upgraded Arbitrum Nitro. After being spotted by Oxriptide, the vulnerability was fixed before it was exploited, or any funds were stolen.
Who is Oxriptide?
Self-described as a white-hat hacker, Oxriptide is an anonymous coder who scours the Web3 bounty platform Immunefi for leads. The website is where they initially discovered the Arbitrum exploit.
The Medium post where Oxriptide outlined the Arbitrum vulnerability said: “I… focus mainly on searching for vulnerabilities solely within smart contracts written in Solidity.”
Focusing on smart contracts gives the hacker the opportunity for large bounties as often millions of dollars are at risk. They claim there is a clear need for bug hunters as contracts will always have issues, whether it is during deployment, development or upgrades.
Going by riptide on Twitter, the coder recently shared that he was out of practice six months ago and spent every week researching. “I was dead set on my path of bounty hunting.”
6 months ago I was a DeFi degen and couldn't read a smart contract ....— riptide (@0xriptide) September 22, 2022
So I spent 7 days a week reading contracts, audit reports, hack post-mortems, books on solidity, reading about merkle trees, assembly programming, etc... i was dead set on my path of bounty hunting
The bounty hunter is currently working on cross-chain projects “due to the complexity involved for the developers of these projects and the significant amount of funds at risk due to the current ‘honeypot’ structure of most bridge implementations”.
The vulnerability that could have seen over $250m of ETH stolen was contained in a bridge between the Ethereum mainnet and Arbitrum’s layer-two network.
According to Oxriptide’s medium post, a bad actor could have exploited the code to steal incoming ETH deposits to the Arbitrum protocol.
The Medium post said: “The largest deposit recorded on the inbox contract was ETH168,000 (~$250mm) with typical total deposits in a 24-hour period ranging from ~ETH1,000 to ~ETH5,000.”