How a Hacker Lost His ETH While Attacking Rainbow Bridge

An attacker trying to steal funds from Rainbow Bridge on Saturday was stopped within 31 seconds, losing 5 ETH in the process.

Alex Shevchenko – CEO of Aurora Labs – broke down how the protocol mounted its automated defense, without needing an immediate response from the security team. 

Another Successful Bridge Defense

In a Twitter thread on Monday, Shevchenko said that someone attempted to send a fabricated NEAR block to the Rainbow Bridge smart contract. 

Rainbow Bridge is a blockchain bridge that lets users migrate assets from other chains onto NEAR. Given that it’s designed in a trustless fashion with no selected middlemen, anyone is capable of interacting with Rainbow Bridge’s smart contracts. That includes NEAR’s light client. 

“Usually, it’s Rainbow bridge relayers, who submit the info on NEAR blocks to Ethereum,” said Shevchenko. “However, sometimes others are doing this. Unfortunately, usually with bad intentions.”

If someone submits incorrect information to NEAR’s light client, then all funds from Rainbow Bridge can potentially be drained. To combat this, the bridge uses a consensus of NEAR validators to validate incoming information, alongside automated watchdogs. 

In this case, the attacker proposed his fabricated block on Saturday morning, likely hoping it would be a tough time to spot any malicious activity. Submitting the block required him to put forth a safe deposit of 5 ETH.

However, the automated watchdogs observing NEAR’s blockchain immediately challenged the transaction. It was canceled within 4 Ethereum blocks (31 seconds) and caused the attacker to lose his safe deposit – worth over $8000 at current prices. 

The CEO said that Aurora has considered increasing the safe deposit for security purposes, but decided against it. “It would make the bridge more permissioned and we fight for decentralization,” he said. 

Previous Bridge Attacks

Rainbow Bridge was targeted with a similar fabricated block attack in May. However, it was stopped by the same automated watchdog mechanism, stripping the attacker of 2.5 ETH. 

Blockchain bridges are a known honeypot for thieves, given that they contain all assets backing tokens circulating on other chains. The largest DeFi hack ever occurred against Ronin Bridge in March, allowing the attacker to flee with over $600 million worth of ETH and USDC at the time. 

In February, Solana’s Wormhole bridge connecting it to Ethereum was drained of 120,000 wETH, worth about $320 million at the time.