The hacker lost Ethereum 5 in the process, but the Rainbow Bridge, which enables the transmission of cryptographically verifiable data between Near (NEAR) and Ethereum (ETH), has managed to withstand another attack.
The CEO of Aurora Labs, Alex Shevchenko, stated in a blog post on August 22 that a weekend attack on the bridge was promptly nullified within 31 seconds and that no user funds were compromised.
After a malicious attacker submitted a fake NEAR block to the Rainbow Bridge contract, the attack happened. A safe deposit of 5 ETH was needed for the transaction.
According to Shevchenko, “Automated watchdogs were challenging the malicious transaction, which led to an attacker losing his safe deposit.”
The Rainbow Bridge, developed by Aurora as the scaling solution for Ethereum built on the NEAR blockchain, enables users to move tokens across the ETH, NEAR, and Aurora networks.
“No designated middleman is involved in the rainbow bridge’s trustless assumptions to move messages or assets between chains. As a result, anyone, including the NEAR light client, can engage with its smart contracts “explained Shevchenko.
He noted that the information on NEAR blocks is typically sent to Ethereum by the bridge’s relayers, software running on conventional servers that frequently read blocks. However, occasionally some people deliberately submit misleading information.
Shevchenko warned that providing inaccurate information to the NEAR Light Client could result in the loss of all funds on the bridge and said that this action is secured by the consent of all NEAR validators.
Notably, a similar assault on the bridge was attempted on May 1 and was unsuccessful, costing the attacker ETH 2.5. The “bridge architecture was meant to resist such attacks,” Shevchenko claimed at the time.
🧵 on the Rainbow Bridge attack today.
TL;DR: attack was stopped automatically, no bridged funds lost, attacker lost some money, bridge architecture was designed to resist such attacks, additional measures to be taken to ensure the cost of an attack attempt is increased
— Alex Shevchenko 🇺🇦 (@AlexAuroraDev) May 1, 2022
Shevchenko meanwhile urged hackers to sign up for bug bounty programmes rather than attempting to steal user money. White hat hackers potentially receive up to a $1 million bounty from Aurora in exchange for analysing code and stopping hacks.
He stated, “Dear attacker, it’s fantastic to see the activity happening from your end, but if you genuinely want to accomplish something useful, instead of stealing user funds and having a difficult time attempting to launder it, you have a choice — the bug bounty.”
According to Immunefi, a prominent platform for bug bounty and security services, malicious actors stole over USD 670 million from crypto protocols during the second quarter of the year, at the same time as the unsuccessful attempt on the Rainbow Bridge. In comparison to Q2 2021, when hackers and fraudsters stole USD 440m, this amount has increased by over 50%.
As previously reported, a hacker used Harmony’s Horizon Bridge vulnerability to steal various crypto assets valued at USD 100 million in late June. And before that, hackers stole roughly USD 325 million from the decentralised finance (DeFi) network Wormhole in February, after exploiting the Ronin Network to the extent of USD 600 million.