All right guys, this thing i need to explain in a bit more detail.
A few of weeks ago there's some good samaritan appeared and offered some improvements to the bridge
https://github.com/BitgesellOfficial/gobglbridge/pull/1 (notably some better retry handling that wouldn't probably completely fix glitches due to using free EVM RPC, but would provide notable improvement, especially for such fast L2 as Arbitrum). The guy was even paid 2 weeks ago by Emma.
As there were indeed issues of constantly throttling RPC API calls (from Cloudflare pages to any kind of error messages), i've checked the code (being afraid of double-spends in retries, etc., that was the focus) and decided to merge the PR. And after questions if the service was redeployed with the latest changes, deployed it at last.
After redeploy (which i didn't announce) in 1.5 days, on 26 of August noticed the bridge was empty. There were gas tokens transferred too and also was a 'virtual bridge' signed by bridge's wallet to mainnet (full amount minus bridge fee). All was fast and calculated. After checking general-level accesses (like SSH etc.) the vector was narrowed down, there was something in serving of static files (supposedly to add security like directory access) made by the mentioned PR. I guessed correctly that it was related to that changing of ServeFile to ServeContent can expose '..' parent directory traversing in the url requested, but could replicate that only locally. Reanalized logs and found how the attack was made -- by requesting bglswap.com/app/
which was successful from first try (was 100% prepared).
I'm 99% sure that PR's author and exploiter is the same person. even if not, somebody watched this closely and knew exactly what to do, it was 100% planned. i know it now looks more simple when explained, but this is still not something like 'dev opened a infected word file received via email'. i admit i wasn't prepared for this level of villainy (offer help and backstab this way).
removed the vulnerability and redeployed code.
what's next?
1. i have some personal BGLs left and also would ask Emma if she kindly can provide some liquidity for the bridge;
2. would reimburse if someone lost funds (please send me txids), all logs are intact;
3. won't be merging a third-party PR even if small cosmetic change;
4. would be good to find someone to help maintain the bridge (but at the moment is looks very hard to find anyone to give access and not being scammed next minutes);
sorry for this situation.
i believe that we can resume operation very soon (few days).
best regards