Developers of Ethereum scaling solution Arbitrum have announced a $2M bounty program for finding critical vulnerabilities, but only pay out $540,000.
Such a complaint on the social network Twitter was published by a “white hacker” under the pseudonym Riptide. According to him, he discovered an extremely serious vulnerability in the Arbitrum Nitro code, which, theoretically, could lead to a loss of $ 470 million. In his opinion, the report of such a vulnerability should be valued at the maximum reward rate of $ 2 million, but the developers paid only 400 ETH ( $540,000).
The hacker carefully analyzed the Arbitrum Nitro code and discovered a vulnerability in the bridge’s incoming message sequencer when transferring assets from Ethereum to Arbitrum. The vulnerability would allow a hacker to redirect funds coming from the Ethereum network to their own wallets.
“In my opinion, everything is simple. If you are claiming a $2 million reward, then be prepared to pay it out on a real claim. Otherwise, just write that the maximum reward is 400 ETH and there will be no questions. Hackers spy on projects that pay bounties and those that don’t. I don’t think it’s a good idea to motivate a white hacker to become a black hacker,” wrote Riptide.
Note that in June, the developers of the Aurora blockchain based on the NEAR Protocol honestly paid a “white hat hacker” a reward of $6 million for helping to prevent the theft of 70,000 ETH.