The attack actually stopped automatically, the bridge funds did not suffer any loss, but the attacker lost some money.
On the evening of May 1, the use of Near Rainbow Bridge was suspended due to abnormal activities. Officials have launched an investigation. Alex Shevchenko, CEO of Near ecological EVM chain Aurora Labs, tweeted a detailed explanation of the attack. PANews translated the relevant content as follows:
Regarding the Rainbow Bridge attack, I would like to give a brief explanation here. The attack actually stopped automatically, the bridge funds did not suffer any loss, but the attacker lost some money. The bridge architecture of the NEAR rainbow bridge is designed to resist this type of attack, and we need to take additional measures to make the attack cost more expensive, so that the rainbow bridge can be better secured.
The address information of the Rainbow Bridge attacker is as follows:
The attacker started the attack after obtaining some ETH from Tornado on May 1. The screenshot of the information he obtained ETH is as follows:
Using these funds, the attacker deploys a contract, and if some funds are deposited into this contract, it becomes a valid rainbow bridge relay and can send some fake light client blocks, the contract The information is shown below:
The attacker tried to seize the moment to “run” in front of our repeater, but he was unable to do so, as shown in the image below:
Afterwards, the attacker decides to send a similar attack transaction (with block time errors) five hours later, which successfully replaces the previously submitted block, as shown in the following image:
However, soon, Rainbow Bridge’s bridge “watchdog” found that the block submitted by the attacker was no longer in the NEAR blockchain, so it created a challenge transaction and sent it to ether Square, the following screenshot:
Immediately, the MEV robot detected the transaction and found that if the transaction was executed in advance, it could generate a profit of 2.5 ETH, so the MEV robot executed the transaction. The screenshot is as follows:
As a result, the transaction of the NEAR rainbow bridge watchdog failed, while the transaction of the MEV robot succeeded, and the block fabricated by the attacker was rolled back. Then a few minutes later, the repeater of Rainbow Bridge submitted a new block, the screenshot is as follows:
We then discovered this strange behavior on the network and launched an investigation, while also suspending all connectors. When all was clear, we reverted to the connector.
Here, we report to you four conclusions from this event:
Conclusion 1: NEAR Rainbow Bridge completely automatically responded to this attack, the user did not even notice that anything happened, and the two-way transaction was not affected in any way;
Conclusion 2: Probably due to high Ethereum fees (and delays in block relays), coupled with constantly checking to see if the Rainbow Bridge watchdog is running properly, the attacker eventually dropped the Rainbow Bridge connection (IMPORTANT: at least 6 months before we knew that the watchdog transaction would be run first by the MEV bot, as reported by our auditor @sigp_io, the main reason to keep this mechanism is for extra protection, as the MEV bot knows how to execute the transaction as quickly as possible), due to The challenge was successful, and the attacker lost 2.5 ETH, which was eventually paid to the MEV robot;
Conclusion 3: We will slightly redesign the challenge payment mechanism, so most of the relayer stake remains in the contract (so, at this point, the attacker wins), and we also pay the watchdog (or MEV robot) paid some fixed amount;
Conclusion 4: At the same time, we will increase the staking requirements for relayers more times, so if a similar attack is launched in the future, the attacker may need to spend more costs, and the funds lost by the attacker will be used for bug bounties, as well as paying additional audit fees.
Finally, there is some information for your reference: as far as I know, NEAR Rainbow Bridge currently has about 5 “watchdogs” running 24*7 all-weather, I believe not many people know about this situation (this is also a kind of internal personnel means of protection), so users can further improve transaction security by simply running a “watchdog” script.
For every “watchdog” transaction that fails due to a front-running transaction, a portion of the attacker’s stake will be rewarded through a manual process. If this does happen, please message me. I want everyone who innovates in the blockchain space to give full attention to the security and robustness of their products through all available means, including: automated systems, notifications, bug bounties, internal and external audits.
In order to ensure that the core work of the ecosystem is stable, Aurora Labs will also do its best to continue to develop the most secure technology.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/review-of-the-near-rainbow-bridge-attack-from-the-beginning-and-end-of-the-hacker-attack/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.