Review of the NEAR Rainbow Bridge attack: hackers failed to attack and suffered losses

The attack was actually stopped automatically, and the bridge funds did not suffer any loss, but the attacker lost some money.

On the evening of May 1, Near Rainbow Bridge was suspended due to abnormal activities. The official has launched an investigation. Alex Shevchenko, CEO of Near Ecosystem EVM Chain Aurora Labs, posted a detailed explanation of the attack on Twitter. PANews translated the relevant content as follows:

I would like to give a brief explanation about the Rainbow Bridge attack. The attack was stopped automatically and no bridge funds were lost, but the attacker lost some money. The NEAR Rainbow Bridge’s bridge architecture is designed to resist this type of attack, and we need to take additional measures to make the attack more costly, so that we can better ensure the safety of the Rainbow Bridge.

The address information of the Rainbow Bridge attacker is as follows:

The attacker started the attack after obtaining some ETH from Tornado on May 1. The screenshot of the information he obtained from ETH is as follows:

Using these funds, the attacker deployed a contract. If some funds are deposited into this contract, it can become a valid Rainbow Bridge relay and send some fake light client blocks. The contract information is shown in the figure below:

The attacker tried to seize the opportunity to “run in front of” our repeater, but he failed to do so, as shown in the following figure:

Afterwards, the attacker decided to send similar attack transactions (with incorrect block times) five hours later, which successfully replaced the previously submitted blocks, as shown in the following figure:

Soon, however, the bridge watchdog of Rainbow Bridge discovered that the block submitted by the attacker was no longer in the NEAR blockchain, so it created a challenge transaction and sent it to Ethereum, as shown in the following screenshot:

Immediately, the MEV robot detected the transaction and found that if the transaction was executed in advance, it could generate 2.5 ETH of profit, so the MEV robot executed the transaction. The screenshot is as follows:

As a result, the transaction of the NEAR Rainbow Bridge Watchdog failed, while the transaction of the MEV robot succeeded, and the block fabricated by the attacker was rolled back. Then a few minutes later, the Rainbow Bridge relay submitted a new block, as shown in the screenshot below:

We then discovered this strange behavior on the network and started investigating, and paused all connectors. Once everything became clear, we restored the connectors.

Here, we report to you the four conclusions of this incident:

Conclusion 1: NEAR Rainbow Bridge completely automatically responded to the attack. Users did not even notice anything happened, and two-way transactions were not affected at all.

Conclusion 2: It is possible that the high Ethereum fees (and the delay in block relays) and the constant checking of whether the Rainbow Bridge watchdog was running properly eventually caused the attacker to abandon the Rainbow Bridge connection (Important note: it took at least 6 months for us to know that the watchdog transaction would be run by the MEV robot first, as reported by our auditor @sigp_io. The main reason for retaining this mechanism is additional protection, as the MEV robot knows how to execute transactions as quickly as possible). Due to the successful challenge, the attacker lost 2.5 ETH, which was eventually paid to the MEV robot.

Conclusion 3: We will slightly redesign the challenge payment mechanism so that most of the relayer stake remains in the contract (so, at this point, the attacker wins), and we also pay some fixed amount to the watchdog (or MEV robot);

Conclusion 4: At the same time, we will increase the staking requirements for relayers by many times, so if a similar attack is launched again in the future, the attacker may need to spend more money. The funds lost by the attacker will be used for bug bounties and to pay additional audit fees.

Finally, there is some information for your reference: As far as I know, NEAR Rainbow Bridge currently has about 5 "watchdogs" running 24*7. I believe that not many people know about this situation (this is also a means of protecting insiders), so users only need to simply run the "watchdog" script to further improve transaction security.

For every "watchdog" transaction that fails due to front-running, a portion of the attacker's stake will be rewarded through a manual process. If this does happen, please send me a message. I hope that everyone innovating in the blockchain space will pay full attention to the security and robustness of their products through all available means, including: automated systems, notifications, bug bounties, internal and external audits.

To ensure the stability of the core work of the ecosystem, Aurora Labs will also do its best to continue developing the safest technology.