The Rainbow Bridge, which facilitates the transfer of cryptographically provable data between Near (NEAR) and Ethereum (ETH), has survived another hack, with the hacker losing ETH 5 (USD 7,878) in the process.
In an August 22 blog post, Aurora Labs CEO Alex Shevchenko said that an attack on the bridge over the weekend was automatically mitigated within 31 seconds, and that no user funds were lost.
The attack took place after a malicious actor submitted a fabricated NEAR block to the Rainbow Bridge contract. The transaction required a safe deposit of ETH 5.
“Automated watchdogs were challenging the malicious transaction, which resulted in an attacker loosing his safe deposit,” Shevchenko said.
Created by Aurora as the Ethereum-compatible scaling solution built on the NEAR blockchain, the Rainbow Bridge allows users to transfer tokens between ETH, NEAR, and the Aurora networks.
“The rainbow bridge is based on trustless assumptions with no selected middleman to transfer messages or assets between chains. Because of this, anyone can interact with its smart contracts, including the NEAR light client,” Shevchenko said.
He added that the bridge’s relayers, scripts running on traditional servers that periodically read blocks, usually submit the info on NEAR blocks to Ethereum. However, sometimes others also submit incorrect information with bad intentions.
“The incorrectly submitted information to the NEAR Light Client may result in the loss of all funds on the bridge,” Shevchenko said, adding that a consensus of NEAR validators secures this step.
Notably, a similar attack on the bridge took place on May 1, with the attacker losing ETH 2.5 during the failed attempt. At the time, Shevchenko said that the “bridge architecture was designed to resist such attacks.”
🧵 on the Rainbow Bridge attack today.
TL;DR: attack was stopped automatically, no bridged funds lost, attacker lost some money, bridge architecture was designed to resist such attacks, additional measures to be taken to ensure the cost of an attack attempt is increased— Alex Shevchenko 🇺🇦 (@AlexAuroraDev) May 1, 2022
Meanwhile, Shevchenko asked hackers to join bug bounty programs instead of trying to steal user funds. Aurora offers white hat hackers up to USD 1m in bounty for preventing hacks and reviewing code.
“Dear attacker, it’s great to see the activity from your end, but if you actually want to make something good, instead of stealing user funds and having lots of hard time trying to launder it; you have an alternative — the bug bounty,” he said.
The failed attempt against the Rainbow Bridge comes as bad actors stole over USD 670m from crypto protocols during the second quarter of the year, according to Immunefi, a major bug bounty and security services platform. This figure is up by almost 50% compared to Q2 2021, when hackers and fraudsters stole USD 440m.
As reported, in late June, a hacker exploited a vulnerability in Harmony‘s Horizon Bridge to steal USD 100m worth of different cryptoassets. And prior to that, the Ronin Network was exploited to the tune of USD 600m, while decentralized finance (DeFi) platform Wormhole lost almost USD 325m to hackers in February.
Source: Cryptonews
