The hacker lost ETH 5 (USD 7,878) in the process of attacking the Rainbow Bridge. Still, the Rainbow Bridge has managed to withstand another attack.
According to Alex Shevchenko, CEO of Aurora Labs, a hacker lost 5 Ethereum (ETH) on August 22 during a botched attempt to breach the Rainbow Bridge over the weekend. No user money was misplaced. The Rainbow Bridge enables the transmission of cryptographically verifiable data between Near (NEAR) and Ethereum (ETH).
The attacker demanded a purported “safe deposit” of 5 ETH before submitting “a fake NEAR block” to the Rainbow bridge. On August 20 at 04:49:19 UTC, the transaction was successfully sent to Ethereum.
Shevchenko noted what appears to be a reliable precaution to protect payments on the bridge when he stated that the attack “was mitigated automatically within 31 seconds.” The hacker “was hoping that it would be difficult to react [to] the attack early Saturday morning,” the author continues.
The attacker lost their 5 ETH investment, worth around $8,000 at the time, due to “automatic watchdogs challenging the malicious transaction.”
The CEO of Aurora claimed that “the reaction took just 31 seconds.” “Within an hour of receiving notifications of odd activity, the crew ensured everything was in order.”
Users can move tokens across the ETH, NEAR, and Aurora networks using Rainbow. It was produced by Aurora, the NEAR blockchain-based scaling solution compatible with Ethereum.
Users can send ERC-20 assets directly to NEAR wallets and applications from MetaMask or other Web3 wallets and vice versa.
Aurora stops an attack on the Rainbow Bridge
Since there is no chosen middleman to move messages or assets between chains, the bridge “is founded on trustless assumptions.” Its smart contracts can therefore be interacted with by anyone, “typically with malevolent intentions.”
Cybercriminals cannot, however, provide “incorrect” information since “a consensus of NEAR validators” is required, protecting against the possibility of losing all cash on the bridge, according to Shevchenko.
In a tweet, he wrote, “If someone tries to submit erroneous information, then it would be disputed by independent watchdogs, who also monitor NEAR blockchain.”
🧵 on the Rainbow Bridge attack during the weekend
TL; DR: similar to May attack; no user funds lost; attack was mitigated automatically within 31 seconds; attacker lost 5 ETH. pic.twitter.com/clnE2l8Vgz
— Alex Shevchenko 🇺🇦 (@AlexAuroraDev) August 22, 2022
Resistance to “Near Block” Attacks
The Rainbow Bridge has experienced attacks in the past as well. The site defended a hacker’s attempt to steal money on May 1. That is “because the bridge architecture was designed to resist such attacks,” Shevchenko claimed.
He continued that Aurora “discarded” plans to increase security by raising the safe deposit. Because doing so would be “more permissioned” and “less decentralized.” Instead, to assist secure user payments, the protocol offered ethical hackers a $6 million prize.
He noted that the information on NEAR blocks is typically sent to Ethereum by the bridge’s relayers. The Bridge Relayers are softwares running on conventional servers that frequently read blocks. However, occasionally other people willfully submit inaccurate information.
Shevchenko warned that providing inaccurate information to the NEAR Light Client could result in the loss of all monies. He said that this action is secured by the agreement of all NEAR validators.
Notably, a similar assault on the bridge was attempted on May 1 and was unsuccessful, costing the attacker ETH 2.5. The “bridge architecture was meant to resist such attacks,” Shevchenko claimed.