🧵 on the Rainbow Bridge attack during the weekend
TL; DR: similar to May attack; no user funds lost; attack was mitigated automatically within 31 seconds; attacker lost 5 ETH.
Usually, it's Rainbow bridge relayers, who submit the info on NEAR blocks to Ethereum. However, sometimes others are doing this. Unfortunately, usually with bad intentions.
The incorrectly submitted information to the NEAR Light Client may result in the loss of all funds on the bridge. That's why this step is secured with the most solid thing: a consensus of NEAR validators.
And if someone tries to submit incorrect info, then it would be challenged by independent watchdogs, who also observe NEAR blockchain.
You may want to read more on how Rainbow Bridge works, check out this article: https://near.org/bridge/
The transaction was successfully submitted in the Ethereum blockchain in the block 15378741 on Aug-20-2022 04:49:19 PM +UTC.
Note the time of attack: an attacker was hoping that it would be complicated to react on the attack early Saturday morning.
And the reaction was taking only 31 seconds (4 Ethereum blocks)
And though attacker was hoping that our security team won't be available, in fact it was. After notifications on strange activities, within 1h the team was checking that everything is OK and was going back to sleep without disturbing myself or the users.
There are still several important things to mention:
First, we have been thinking of increasing the safe deposit (to reduce the number of attacks), but discarded this idea. The reason -- it would make the bridge more permissioned and we fight for decentralization.
Third, to all the builders in web3, there's no way you can omit attack attempts. Please, make sure that you have enough systems in place to mitigate these attacks.
My heart is bleeding when I see great builders unfortunately failing because of these.
And forth, dear attacker, it's great to see the activity from your end, but if you actually want to make something good, instead of stealing users money and having lots of hard time trying to launder it; you have an alternative -- the bug bounty: