Aurora Labs CEO Alex Shevchenko said that on Aug. 22 a hacker lost 5 Ethereum (ETH) in a failed attack on the NEAR/ETH Rainbow Bridge over the weekend. No user funds were lost.
Shevchenko said the attack “was mitigated automatically within 31 seconds,” highlighting what looks like an effective mechanism to safeguard user funds on the bridge.
Aurora ‘watchdogs’ prevent Rainbow Bridge attack
The Rainbow Bridge allows users to transfer tokens between ETH, NEAR, and the Aurora networks. It was created by Aurora, the Ethereum-compatible scaling solution built on the NEAR blockchain.
Users can send ERC-20 assets directly from MetaMask or other Web3 wallets to NEAR wallets and applications, and vice versa.
The bridge “is based on trustless assumptions with no selected middleman to transfer messages or assets between chains.” Because of this, anyone can interact with its smart contracts, “usually with bad intentions.”
Shevchenko said cybercriminals cannot, however, submit “incorrect” information due to the need for “a consensus of NEAR validators,” which protect against the potential loss of all funds on the bridge.
“If someone tries to submit incorrect information, then it would be challenged by independent watchdogs, who also observe NEAR blockchain,” he said in a blog post.
Fabricated block creation
Over the weekend, an attacker submitted “a fabricated NEAR block” to the Rainbow bridge, requiring a so-called “safe deposit” of 5 ETH. The transaction was successfully submitted to Ethereum on Aug. 20, at 04:49:19 PM UTC.
Shevchenko said the hacker “was hoping that it would be complicated to react [to] the attack early Saturday morning.”
However, “automated watchdogs challenged the malicious transaction,” resulting in the attacker losing their 5 ETH deposit, valued at about $8,000 at the time.
“The reaction took only 31 seconds,” claimed the Aurora CEO. “After notifications on strange activities, within one hour the team was checking that everything is OK…”
This is not the first time that the Rainbow bridge has been attacked. On May 1, the platform defended an attempt by hackers to siphon funds. Shevchenko said that is “because the bridge architecture was designed to resist such attacks.”
He added that Aurora “discarded” plans to boost security by increasing the safe deposit because that would make the bridge “more permissioned” and less decentralized. Instead, the protocol paid a $6 million bounty to ethical hackers to help secure user funds.
Shevchenko had a special message for the attacker:
“It’s great to see the activity from your end, but if you actually want to make something good, instead of stealing users money and having lots of hard time trying to launder it; you have an alternative — the bug bounty:”
BeInCrypto has reached out to company or individual involved in the story to get an official statement about the recent developments, but it has yet to hear back.