Key Takeaways:
- The attacker lost 2.5 ETH in a failed attempt to attack the NEAR Protocol Rainbow Bridge.
- Bridge architecture was designed to resist such attacks, and additional measures to be taken to ensure the cost of an attack attempt is increased.
Below is a quick overview of this project.
The ETH <> NEAR Rainbow Bridge allows users to migrate assets to NEAR’s developer-friendly and low-cost platform seamlessly.
Here is the address of the attacker:Â
https://etherscan.io/address/0xa4b2aa64b348e4186539e3c3c3f2e80355a5ebc2
The attacker got some ETH from Tornado Cash to start the attack. Here is the link to the transaction:Â
https://etherscan.io/tx/0x31978ff63987f452bbec505613d09d83943beaf11d9053f089310dc32fb8da59.
With these funds, he deployed a contract to deposit some funds to become a valid Rainbow Bridge relayer and send the fabricated light client blocks. Here is the contract address:Â
https://etherscan.io/address/0xd1533149879fcf443c2183802e871b8e0edcac54.
He tried to hit the moment to front-run the relayer but failed to do it. Here is the link to the attacker’s failed transaction:Â
https://etherscan.io/tx/0xb5b489bad56352742ab3a2b5c4659d2f6487ac79f222c87079e0330af36df91e.
After that, he decided to send a similar transaction with the block timestamp in the future (+5h). This transaction successfully substituted the previously submitted block. Here is the link to that transaction:
https://etherscan.io/tx/0x342ad0d9acfeed484f61f75971e30a38affdede61d12d17bf413f9aa0d24cc1c.
In a short period, one of the bridge watchdogs figured out that the block submitted was not in the NEAR blockchain, and they created a challenge transaction and sent it to Ethereum. Here is the link to that transaction:Â
https://etherscan.io/tx/0x5edcf538538819c91ed2ffa115f380ccaa2fe71ca264b7b1e199cb5d913b21fc.
Immediately, MEV bots detected this transaction and figured out that front-running it would result in 2.5 ETH, so they did exactly this. Here is the link to that transaction:Â
https://etherscan.io/tx/0xd775968438da661ca8b19aa651a646d86b0476961196b214846b52d9c4c9eb66.
As a result, the watchdog transaction failed, MEV bot transaction succeeded and rolled back the fabricated block of the attacker. Some minutes after this, the relayer submitted a new block. Here is the link to that transaction:Â
https://etherscan.io/tx/0x020dd82b92738320488a5d76534917a5429b3008dcf8058f113f932a70771637.
Later, the team investigated the strange behavior and paused all the connectors. And once figured out the details, unpaused them back.
The attack was mitigated fully automatically. Rainbow Bridge users didn’t see anything happening, continuing transacting in both directions. However, the combination of the high Ethereum fees, a delay of the block relaying, and a desire to check whether watchdogs are operational or not were stimulating an attacker to break the bridge at that exact moment.
For at least six months team knew that watchdog transactions would be front-run by the MEV bots. The main reason to keep these mechanics is the additional protection, as MEV bots know how to get transactions executed. The attacker lost 2.5 ETH, which was paid to the MEV bot because of the successful challenge.
We would like to credit Alex Shevchenko, CEO of Aurora Labs, for all this information.
As crypto hacks are increasing nowadays, our readers should stay alert.
