🧵 on the Rainbow Bridge attack during the weekend
TL; DR: similar to May attack; no user funds lost; attack was mitigated automatically within 31 seconds; attacker lost 5 ETH.
The rainbow bridge is based on trustless assumptions with no selected middleman to transfer messages or assets between chains. Because of this, anyone can interact with its' smart contracts, including the NEAR light client: etherscan.io/address/0x3be7df8db39996a837041bb8ee0dadf60f767038
Usually, it's Rainbow bridge relayers, who submit the info on NEAR blocks to Ethereum. However, sometimes others are doing this. Unfortunately, usually with bad intentions.
The incorrectly submitted information to the NEAR Light Client may result in the loss of all funds on the bridge. That's why this step is secured with the most solid thing: a consensus of NEAR validators.
And if someone tries to submit incorrect info, then it would be challenged by independent watchdogs, who also observe NEAR blockchain.
You may want to read more on how Rainbow Bridge works, check out this article: near.org/bridge/
Over the weekend an attacker submitted a fabricated NEAR block to the Rainbow Bridge contract: etherscan.io/tx/0x289c589fb1b0c7c2fc042627c1633cc2400e7bd3107a4bd80f01b87507e62962
During a transaction, a safe deposit of 5 ETH was required.
The transaction was successfully submitted in the Ethereum blockchain in the block 15378741 on Aug-20-2022 04:49:19 PM +UTC.
Note the time of attack: an attacker was hoping that it would be complicated to react on the attack early Saturday morning.
However, no reaction from humans was required. Automated watchdogs were challenging the malicious transaction, which resulted in an attacker loosing his safe deposit:
etherscan.io/tx/0x9be2ef5c7bbce3481af2757ca9ab11b9624ce52fdd4d0808dc5e292217173acb
And the reaction was taking only 31 seconds (4 Ethereum blocks)
This attack was absolutely similar to an attack on May 1st. Read more about it here:
twitter.com/AlexAuroraDev/status/1520810591803293696
And though attacker was hoping that our security team won't be available, in fact it was. After notifications on strange activities, within 1h the team was checking that everything is OK and was going back to sleep without disturbing myself or the users.
There are still several important things to mention:
First, we have been thinking of increasing the safe deposit (to reduce the number of attacks), but discarded this idea. The reason -- it would make the bridge more permissioned and we fight for decentralization.
Second, the security is in the hearts of Aurora Labs team and that's the reason why we have alerts, automatic systems, audits and bug bounties.
In fact we payed out the second largest bug bounty in the world to secure our users!
cointelegraph.com/news/aurora-pays-6m-bug-bounty-to-ethical-security-hacker-through-immunefi
Third, to all the builders in web3, there's no way you can omit attack attempts. Please, make sure that you have enough systems in place to mitigate these attacks.
My heart is bleeding when I see great builders unfortunately failing because of these.
And forth, dear attacker, it's great to see the activity from your end, but if you actually want to make something good, instead of stealing users money and having lots of hard time trying to launder it; you have an alternative -- the bug bounty:
immunefi.com/bounty/aurora/
If you want to know more stats on the Rainbow Bridge, please refer to @zacodil's dashboard:
dune.com/zavodil/rainbow-bridge