Attackers trying to exploit Near Protocol’s Rainbow bridge lost some 5 ether (ETH), or just over US$8,000 at current rates, over the weekend after automated security processes by the bridge’s validators kicked in and mitigated the threat in under 31 seconds.
Blockchain-based bridges allow users to send and receive tokens between different networks by locking native tokens on either side. Rainbow allows users to send tokens among the Ethereum, Near and Aurora networks and has over $2.3 billion in assets locked on the protocol, data shows.
Rainbow developer Alex Shevchenko said in a note Monday that an attacker submitted a fabricated Near block to the Rainbow bridge contract over the weekend by putting up a “safe deposit” of 5 ether.
That transaction was successfully submitted to the Ethereum network, with the attacker expecting Rainbow developers to be unavailable to mitigate any threats. “[The] attacker was hoping that it would be complicated to react to the attack early Saturday morning,” Shevchenko explained.
The attacker likely intended to fake transactions and trick Rainbow’s smart contracts into releasing locked funds without depositing any initial funds. Such a sophisticated mechanism has previously been used to exploit several blockchain bridges, such as Nomad’s recent $200 million exploit.
But Rainbow’s validators automatically caught the fabricated block that the attacker tried to submit, challenged and blocked the transaction, and took away the safe deposit of 5 ether put up by the attacker.
This was possible because of how the Rainbow bridge works. As a wholly decentralized platform, Rainbow relies on several validators, called bridge relayers, who submit block info on Near blocks to Ethereum. Anyone can submit information to Rainbow, and false information could likely result in a loss of all user funds.
However, this is where the validators step in: They agree on which transactions are genuine by tracking blockchain activity on all networks connected to Rainbow. Incorrect transactions are challenged by independent “watchdogs” who observe the Near blockchain to check for data misfits, with incorrect transactions getting flagged and eventually blocked.
Such a mechanism protects the network from seeing potentially hundreds of millions of dollars in losses, especially as bridge attacks become more commonplace.
In late June, attackers linked to North Korean hacker group Lazarus exploited a vulnerability in Harmony's Horizon Bridge to steal over $100 million. In March, Axie Infinity’s Ronin Network was exploited for over $625 million, while Solana-based cross-chain bridge Wormhole lost over $325 million to attackers in February.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.