CEO of Aurora Labs, Alex Shevchenko, announced Monday that the NEAR-ETH Rainbow Bridge defended an attack over the weekend resulting in the hacker losing 5ETH.
Shevchenko claimed that the attack was “mitigated automatically within 31 seconds,” showcasing a highly effective defense mechanism to protect users’ funds within the bridge.
The Rainbow Bridge allows users to move $ETH, $NEAR, and ERC-20 tokens between networks. However, the bridge “is based on trustless assumptions with no selected middleman to transfer messages or assets between chains.” These assumptions mean that anyone can interact with smart contracts “usually with bad intentions.”
However, bad actors can not submit “incorrect” information due to the need for “a consensus of NEAR validators.” Shevchenko continued,
“if someone tries to submit incorrect info, then it would be challenged by independent watchdogs, who also observe NEAR blockchain.”
A “fabricated NEAR block” was submitted over the weekend, requiring a 5 ETH deposit. The transaction was successfully submitted to Ethereum on Saturday, August 20, at 04:49:19 PM UTC. Shevchenko claimed that the “attacker was hoping that it would be complicated to react to the attack early Saturday morning.” However, the “automated watchdogs” challenged the transactions causing the attacker to lose their deposit just 31 seconds later at 04:49:50 PM UTC.
Following the response from the automated watchdog, Shevchenko asserted that the security team checked the bridge’s status within the hour to confirm no further action was required.
Shevchenko ended the thread with a statement directly to the attacker, saying,
“dear attacker, it’s great to see the activity from your end, but if you actually want to make something good, instead of stealing users money and having lots of hard time trying to launder it; you have an alternative — the bug bounty.”
Original thread below:
🧵 on the Rainbow Bridge attack during the weekend
TL; DR: similar to May attack; no user funds lost; attack was mitigated automatically within 31 seconds; attacker lost 5 ETH. pic.twitter.com/clnE2l8Vgz
— Alex Shevchenko 🇺🇦 (@AlexAuroraDev) August 22, 2022