An in-depth review of the Rainbow Bridge incident on 10th of February 2023

•

A 🧵 on the recent precautionary pause of the Rainbow Bridge. TL:DR: it was a bug in the NEAR Core, no funds lost; the vulnerability was never exploited on the Rainbow Bridge; operations of the bridge are fully restored. @auroraisnear @NEARProtocol @PagodaPlatform

On the 10th of February a vulnerability was discovered in the NEAR Core.

The vulnerability concerns the validation of the block outcome root. A chunk producer (validator) of NEAR blockchain can maliciously construct the incorrect block, which then will be validated by others as if it's the correct one.

This vulnerability presents particular risks for the Rainbow Bridge due to its trustless architecture. In order to finalise a transfer from NEAR, the Ethereum side of the bridge needs to validate the inclusion of the starting transaction on NEAR.

So, if the consensus is broken, incorrect information may be committed, resulting in the draining of the funds from the bridge and potentially affect other bridge connectors.

After a short review of the submission (even before the full validation of the vulnerability), the NEAR Protocol team notified Aurora Labs about the issue.

The decision to stop the bridge and contracts that are holding users' tokens was taken immediately. The Rainbow Bridge security council was incapable of analysing the validity of the issue, but even from its description it was clear that it may be severe.

Within 30 min from the first communication the bridge was paused in a series of 4 transactions: etherscan.io/tx/0x0fbce00aa32411f0d83b27636d45fa7d71a5d896f659a937bcf2334a032ccd0c etherscan.io/tx/0x9fd20fee71446ac49cd7c8580923dbe0b05c909e3f797038eee4c18291e51840 etherscan.io/tx/0xfae634956088734469df3a306134c57c3e3ddda5fd0c5a723e90c5676d5bd9d5 etherscan.io/tx/0xf74a154d8efa728f0431d39d33b5d18a74e3815bf8ade95b4dd9a63084c73008

These transactions shut down the execution of any methods for three connectors that are storing tokens (ERC-20, ETH and eNEAR) as well as the proover contract.

As a result, both tokens and data transfers on the Rainbow Bridge were paused.

After the Rainbow Bridge was stopped, the information was propagated throughout all Aurora channels, including Aurora status page and Rainbow Bridge web-app. twitter.com/AlexAuroraDev/status/1624190477103669249

Shortly after, the NEAR Protocol team confirmed the validity of the issue and the development of the patch to the NEAR Core started.

On the 11th of February the patch was developed and reviewed and the NEAR Core team started to contact validators to apply the patch. Aurora Labs's validator was updated in the shortest possible timeframe.

Throughout the weekend, validators worked on updating their instances and by the end of 12th February (Europe time) the required 67% stake was reached. Right now the vulnerability can no longer be exploited.

While the NEAR Protocol team was developing the patch and communicating with validators, Aurora Labs's Bridge team analysed the full 2y history of the Rainbow bridge to find out, whether the vulnerability was ever exploited.

The result of the analysis was negative: incorrect transfers were not performed, ever!

Rainbow bridge was unpaused with two transactions (one of which was batched) shortly after the report of sufficient stake upgrade: etherscan.io/tx/0x3fbc04ed38248430850a407c5af6691accea5f703d3986f66762e390a7d838b5 etherscan.io/tx/0xfedcf8fdfbb6d15796e8ae16b062263a5ec03eddc70642992597416b72a92667

The unpausing of the Rainbow Bridge was immediately communicated on all Aurora official channels: twitter.com/AlexAuroraDev/status/1624842592159469569

Today, NEAR Protocol publicly released the security patch 1.31.1 that was applied by the validators during the weekend: github.com/near/nearcore/releases/tag/1.31.1

It is still possible to leverage this vulnerability, e.g. in the case staking distribution would change in favour of the validators that have not upgraded, so it's important to update the NEAR nodes. However, the chances of this event are negligible.

Overall, this vulnerability was treated in a very professional manner with quick reactions, transparent communication and advanced research. That's how things should be done in blockchain.

I'd like to thank the Security, Bridge and Infrastructure teams in Aurora Labs, as well as the Security and Protocol teams in Pagoda for great and efficient cooperation and care for the users of both NEAR and Aurora.