Ethereum: critical flaw on Arbitrum, 400 ETH reward to fix it

A worthwhile reward – Most of cryptocurrencies have open source code. Thus, it allows anyone to verify or contribute to the source code of the projects. In some cases, it also allows users to detect a flaw and help correct it. This is what just happened on Arbitrum, where a hacker detected a critical flaw.

>> Plant your little cryptos and help them grow with 8% compound interest on FTX Earn (trade link) <<

A critical flaw discovered on Arbitrum Nitro

Arbitration is a second coat solution of the network Ethereum, developed by Offchain Labs. Launched in September 2021, Layer 2 Arbitrum has undergone a major update with the deployment of Arbitrum Nitro.

Unfortunately, this update had a critical flaw which could have jeopardized millions of dollars.

Thus, Tuesday, September 20, 0xriptide revealed that it had detected a critical flaw in the code of the Arbitrum Nitro solution. At the same time, the latter revealed the stages of his discovery in a Medium publication.

Tweet announcing the flaw on Arbitrum.

“It was the story of erased storage locations and well-meaning gas optimizations that led to a multi-million dollar vulnerability. This affected any potential depositor attempting to send funds between Ethereum and Arbitrum Nitro. »

In its publication, 0xriptide presents itself as a white hat hacker. In fact, it hunts bug bounty rewards offered by various protocols on ImmuneFi. Thus, our protagonist explains that he is particularly interested in cross-chain solutions, including DeFi bridges.

A few weeks before discovering the flaw, 0xriptide had conducted extensive research on the second layer solutions Optimism and Arbitrum. Its objective being Gain a solid understanding of how the protocols work and how each chose to implement their security framework».

Back to the discovery of the fault

After having studied the two protocols well, our benevolent hacker went to explore the Arbitrum code in search of a flaw.

He then went to inspect the implementation of the bridge allowing funds to be sent from Ethereum to Arbitrum. In practice, transactions between Ethereum and Arbitrum are managed by a smart contract called DelayedInbox.

Without going into details, this contract uses a method to initialize the contracts that make up the system. This initializes two variables:

Function initialize() which allows to initialize the bridge and the sequencerInbox of Arbitrum.
Initialize() method which allows to initialize the bridge and the sequencerInbox of Arbitrum.

It is at this level that a point aroused the curiosity of 0xriptide. Indeed, after looking on Etherscan, our hacker was able to confirm the initialization of the bridge. However, he discovered that the SequencerInbox was not for him not initialized.

“I scanned the first two memory slots of the contract to see what was happening while the initialization modifier was running. Of course, both slots 0 and 1 were empty, meaning the contract was in a state of complete vulnerability as it accepted thousands of ETH deposits every day! How was this possible given that the contract had been initialized before? »

After further research, he discovered a function called ” postUpgradeInit » which was at the origin of the deletion of certain memory cells. Indeed, this erases the values ​​of the first three memory cells, and updates several data. However, this function lack of updating the value of sequencerInbox.

postUpgradeInit() function which forgot to initialize the sequencerInbox.
postUpgradeInit() function which forgot to initialize the sequencerInbox.

Operation of the flaw and bug bounty

Now that 0xriptide has discovered a potential attack vector, it must develop a method to test your vulnerability.

To do this, he called on the public service initialize() passing it the address of a corrupted copy of the Arbitrum bridge as a parameter.

There you go, once the maneuver is finalized, our hacker is able to steal all ETH which are deposited through the Arbitrum Bridge.

“Now that we have initialized the contact with our own bridge contract address, we can divert all ETH deposits from users attempting to bridge to Arbitrum via the depositEth() function. »

A critical flaw that could have resulted in the loss of hundreds of millions of dollars. Indeed, according to the publication, the largest deposit recorded by the contract was 168,000 ETHor about $250 million.

In addition, an average of 1,000 to 5,000 ETH is deposited daily on Arbitrum via this method.

Obviously, our big-hearted hacker quickly contacted the Arbitrum teams to reveal his findings. The latter were then able to correct the flaw before it was exploited and offered a juicy reward of 400 ETH, or $535,000 at 0xriptide.

Last February, a white hat hacker saved the layer 2 of Optimism. So he discovered a critical flaw that earned him a generous $2 million reward.

Decentralized finance (DeFi) offers many opportunities, but these can be risky. You can also choose peace of mind and gently immerse yourself in the world of cryptocurrencies by trading your first bitcoins on the FTX platform. By registering on FTX via this commercial link at the JDCyou will additionally get a lifetime discount on trading fees.

Leave a Comment