A hacker targeting Rainbow Bridge has lost five Ethereum in the process of attacking the platform.
Stolen funds were almost immediately returned with no harm done to the users of the platform.
Blockchain bridges, or cross-chain bridges, connect blockchains together so users send crypto from one chain to another. Native tokens are locked on either side of the transaction as it is performed.
Rainbow Bridge, created by Aurora Labs, allows users to send and receive tokens throughout the Near, Ethereum, and Aurora blockchain networks, and has over $2.3 billion in assets locked on the protocol.
Aurora Labs CEO Alex Shevchenko tweeted yesterday that Rainbow Bridge had successfully blocked the attack “automatically within 31 seconds.”
🧵 on the Rainbow Bridge attack during the weekend
TL; DR: similar to May attack; no user funds lost; attack was mitigated automatically within 31 seconds; attacker lost 5 ETH. pic.twitter.com/clnE2l8Vgz— Alex Shevchenko 🇺🇦 (@AlexAuroraDev) August 22, 2022
Smart contracts, including the one used by Rainbow, are automated and trustless – meaning that bad actors can also exploit the system. Shevchenko predicts that the attacker was hoping that Rainbow developers would not be able to help defend against any threats.
According to Shevchenko, the attacker had submitted a fabricated Near block to the Rainbow Bridge contract this past weekend with a “safe deposit” of five Ethereum.
However, Aurora Labs already had “automated watchdogs” monitoring the transaction, which resulted in the attacker losing their deposit within 31 seconds, with no harm done to other users in the exploit attempt. At the time of writing, the five ETH deposit was worth $8,000.
In doing so, the attacker is assumed to act with the intention to fake transactions in order to trick Rainbow’s smart contracts into releasing locked native tokens on the platform, without the need to deposit any initial funds.
“[The] attacker was hoping that it would be complicated to react to the attack early Saturday morning,” said Shevchenko.
This very method of faking transactions was used in the Nomad Bridge exploit in early August, draining the cross-chain bridge out of $200 million in assets.
A similar attack on Rainbow happened earlier in the year, resulting in a failed asset syphoning attempt and the attacker losing 2.5 ETH. Shevchenko had famously said that the “bridge architecture was designed to resist such attacks.”
Putting a positive spin on the attack, Schevchenko pushed for hackers to divert their energy into preventing future hacks through reviewing code. Aurora is known to offer white hat hackers up to one million USD in bug bounties.
“Dear attacker, it’s great to see the activity from your end, but if you actually want to make something good, instead of stealing users’ money and having lots of hard time trying to launder it; you have an alternative—the bug bounty,” added Schevchenko.
According to the bug bounty and security services platform Immunefi, bad actors have stolen over $670 million from DeFi projects in Q2 2022, a whopping 50% increase from approximately $440 million stolen in Q2 2021.
Cross-chain bridges have been a popular target for attackers hoping to exploit vulnerabilities in the system. This late March, Axie Infinity’s Ronin Bridge had been drained off over $600 million in what is known as one of the greatest crypto heists. More recently, Harmony’s Horizon Bridge was exploited off $100 million of a variety of crypto assets in late June.
