Near Protocol Rainbow Bridge First Attack Mitigated

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Near Protocol

The Near Protocol Rainbow Bridge allows the transfer of tokens between the Ethereum, Near, and Aurora blockchain networks. Like most bridges, there is a possibility of attackers submitting fraudulent transactions trying to trick the bridge into releasing funds without making an actual payment. The Near Protocol Rainbow Bridge requires the attacker to send a "safe deposit", has watchdogs monitoring the network, and allows validators to flag and reject any suspicious transactions.

On the early morning between April 30th and May 1st (depending on timezone), a fraudulent transaction was submitted. It was successfully detected and mitigated in this case, and no funds were lost.

About Near Protocol

The NEAR Rainbow Bridge is a solution for scalability in blockchain networks, particularly for Ethereum[1]. The ETH <> NEAR Rainbow Bridge enables seamless migration of assets from Ethereum to NEAR's low-cost and developer-friendly platform[2]. Due to increased demand on the Ethereum network, users can now bridge their assets to NEAR and enjoy faster transactions without compromising speed[2].

The Rainbow Bridge is a trustless and permissionless protocol, enabling anyone to deploy, use, or maintain a bridge without requiring approval[2]. It addresses the congestion and high gas fees associated with increased transactions[1]. It allows cryptographic proof on NEAR to be usable in Ethereum contracts and vice versa, facilitating activities like voting with ETH balances in NEAR DAOs[2]. The bridge is accessible through the ETH Faucet and MetaMask wallet, and transactions on NEAR confirm in 1-2 seconds at a low cost[2]. While transferring assets from Ethereum to NEAR takes about six minutes and incurs an average cost of $10, sending assets back to Ethereum currently takes up to sixteen hours and costs around $60. However, these costs and speeds are expected to improve in the future. The Rainbow Bridge is available to everyone, offering advantages in speed and cost for transferring ERC-20 tokens on NEAR[2].

NEAR protocol, which uses blockchain sharding technology, serves as the foundation for the Rainbow Bridge[1]. The protocol offers advantages such as Nightshade sharding, Rainbow Bridge, and Aurora, which enable efficient data processing, seamless token swapping between Ethereum and NEAR, and layer 2 scalability. The Rainbow Bridge is decentralized and permissionless, allowing for the transfer of ERC-20 tokens, stablecoins, wrapped tokens, and NFTs[1]. It offers faster confirmation times and lower transaction costs, benefiting both developers and users[1].

Users can connect to the bridge using WalletConnect, MetaMask, or the Brave crypto wallet[3]. If they don't have a NEAR account, they can create one by logging in with MetaMask and proving ownership of an Ethereum address with a balance of at least 0.05 ETH[3]. The bridge allows popular tokens such as stablecoins (e.g., USDT, DAI), wrapped assets (e.g., WBTC, WETH), DEX tokens (e.g., UNI, 1INCH), lending tokens (e.g., AAVE, COMP), and service company tokens (e.g., HT, CRO) to be interoperable with NEAR[2]. The transfer of ERC-20 tokens uses a two-step process of approval and transfer, with the tokens being locked in a token locker contract[4] on Ethereum until they are unlocked on NEAR[3].

TBD more on architecture[1] and GitHub[5]. Team founding. Etc...

Statistics on the rainbow bridge are publicly available on the Dune website[6].

The Reality

"Usually, it's Rainbow bridge relayers, who submit the info on NEAR blocks to Ethereum. However, sometimes others are doing this. Unfortunately, usually with bad intentions." "Such a mechanism protects the network from seeing potentially hundreds of millions of dollars in losses, especially as bridge attacks become more commonplace."

While the mechanism is designed to prevent malicious transactions, a potential concern was that the detection of malicious transactions may depend on human participation, which could be challenging at certain times of day.

What Happened

An attacker attempted to exploit the near bridge protocol.

Key Event Timeline - Near Protocol Rainbow Bridge First Attack Mitigated
Date Event Description
August 19th, 2020 The Rainbow Bridge Is Announced An announcement describes the building of the Rainbow Bridge[7].
April 6th, 2021 6:05:20 AM MDT The Rainbow Bridge Is Launched The Rainbow Bridge launched is announced[8][9]. TBD what's different between these two announcements?
April 6th, 2021 8:10:45 AM MDT Rainbow Bridge Guide Published The "Rainbow Bridge Guide (full version)" is published to YouTube[3].
April 30th, 2022 10:01:49 PM MDT Attacker Brings Funds From TornadoCash The attacker brings some funds from TornadoCash. He wants to make sure his donation is anonymous[10].
April 30th, 2022 10:07:35 PM MDT Attack Smart Contract Prepared The attacker wallet prepares a smart contract in preparation for their attack[11][12].
April 30th, 2022 10:10:47 PM MDT Attacker Tries Hard To Donate ETH The attacker first tries to donate his Ethereum but it fails because he "[c]an only replace with a sufficiently newer block"[13].
April 30th, 2022 10:21:00 PM MDT Attacker Generously Donates 5 ETH The attacker finally succeeds in making his generous donation of 5 ETH to support the Rainbow Bridge[14].
April 30th, 2022 10:24:03 PM MDT Transaction Reverted No Block Can Be Challenged Two transactions. One transaction fails because "No block can be challenged at this time"[15]. The other is successful[16].
April 30th, 2022 10:27:35 PM MDT Near Protocol Deployer Transaction A transaction occurs from the Near protocol depoyer[17].
May 1st, 2022 11:01:00 AM MDT Twitter Post About The Attack Alex Shevchenko posts a summary with details of the unsuccessful attack and that the costs for attacking the protocol will also be increased[18].
August 22nd, 2022 6:31:00 AM MDT Referenced in Report of Second Attack The first attack is reverenced in a report on the second attack attempt[19].
August 23rd, 2022 6:08:00 AM MDT Referenced In CoinDesk Article The first attack is referenced in a CoinDesk article on a second attack attempted on the protocol[20].

Technical Details

The attacker "got some ETH from Tornado to start the attack around [4 AM UTC]." "With th[is] money he deployed a contract that meant to deposit some funds to become a valid Rainbow Bridge relayer and send the fabricated light client blocks." "He was trying to hit the moment to front run our relayer, but failed to do it."

"After it, he decided to send the similar transaction with the block timestamp in the future (+5h)[. T]his transaction successfully substituted the previously submitted block." "Probably, the combination of the high Ethereum fees (and a delay of the block relaying) and a desire to check whether watchdogs are operational or not, were stimulating an attacker to break the bridge in that exact moment."

"For at least 6 months we knew that watchdog transaction would be front run by the MEV bots (reported by our auditors @sigp_io). [The m]ain reason to keep this mechani[sm] is the additional protection: MEV bots know how to get transactions executed ASAP."

Total Amount Lost

No funds were lost, except by the attacker, who lost 2.5 ETH.

Immediate Reactions

"In a short period one of the bridge watchdogs figured out that the block submitted is not in the NEAR blockchain; created a challenge transaction and sent it to Ethereum." "Immediately, MEV bots detected this transaction and figured out that front-running it would result in 2.5 ETH gain, so they did exactly th[at]."

"As a result, [the] watchdog transaction failed[. The] MEV bot transaction succeeded and rolled back the fabricated block of the attacker. Some min[utes] after this, our relayer submitted a new block[.]" "The attack was mitigated fully automatically, Rainbow Bridge users even didn't saw anything happening, continuing transacting in both directions."

The "[a]ttacker lost 2.5 ETH, which was pa[i]d to the MEV bot because of the successful challenge."

"A bit later we started to investigate the strange behaviour and paused all the connectors. And once figured out the details, unpaused them back."

Ultimate Outcome

The Near protocol outlined some potential adjustments to their protocol based on the attack.

"We [plan to] redesign a bit the challenge payout mechanics, so the majority of the relayer stake is kept in the contract (so, lost to the attacker too), and some fixed amount payed to the watchdog (or MEV bot)." We also plan to "increase the stake for the relayer manyfold, so similar attempts would cost much more." "Money that attackers would loose will be spent for bug bounties and additional audits." "Every watchdog transaction, that would fail because of the front running will be rewarded with a portion of the attacker stake through the manual process. In case this happens, please send me a message." "I wish everyone who is innovating in the blockchain to pay enough attention to security and robustness of their products through all the available means: automatic systems, notifications, bug bounties, internal and external audits."

Ultimately an exploit on the near protocol was again attempted in August.

Total Amount Recovered

No funds were lost, except by the attacker. The attacker did not recover their funds, and funds were instead donated to the treasury.

Ongoing Developments

There are no remaining developments to be concluded.

Individual Prevention Policies

This case does not appear to have resulted in a loss to any individual.

The only entity losing funds in this case was the attacker, who by all accounts appears to have been attempting to defraud the protocol.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

This case does not appear to have resulted in a loss to any platform.

This system seems to have worked effectively due to the multi-signature nature of having multiple independent validators to approve the transactions. Such a system likely works well to automatically approve small value transactions, where there is minimal incentive to attack, with continual adaptation and a small treasury to pay out any losses available. Larger transactions would likely benefit from human oversight as it can be challenging to be sure that the automated systems will effectively detect the full diversity of potential fraudulent transactions. There is a tendency for all nodes to employ similar software that will make the exact same decision, thereby negating key benefits of the multi-signature setup.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

It does not appear that any funds were lost in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.


  1. 1.0 1.1 1.2 1.3 1.4 1.5 What is NEAR Rainbow Bridge and How do they work? (Jan 9, 2023)
  2. 2.0 2.1 2.2 2.3 2.4 2.5 2.6 Bridge from Ethereum to NEAR | The Rainbow Bridge Homepage (Jan 9, 2023)
  3. 3.0 3.1 3.2 3.3 Rainbow Bridge Guide (full version) - YouTube (Jan 9, 2023)
  4. NearBridge Smart Contract - Etherscan (Jan 9, 2023)
  5. GitHub - aurora-is-near/rainbow-bridge: NEAR <> Ethereum Decentralized Bridge (Jan 9, 2023)
  6. NEAR Rainbow Bridge Statistics - Dune (Jan 9, 2023)
  7. ETH-NEAR Rainbow Bridge – NEAR Protocol (Jan 9, 2023)
  8. The Rainbow Bridge Is Live – NEAR Protocol (Jan 9, 2023)
  9. The Rainbow Bridge Is Live - Near Blog Archive - April 6th, 2021 6:05:20 AM MDT (Apr 12, 2023)
  10. Ethereum Transaction Bringing Funds From TornadoCash - Etherscan (Jan 9, 2023)
  11. Ethereum Transaction Creating Smart Contract - Etherscan (Jan 9, 2023)
  12. Rainbow Bridge Attacker | Address 0xa4b2aa64b348e4186539e3c3c3f2e80355a5ebc2 | Etherscan (Jan 9, 2023)
  13. Ethereum Transaction Which Was Reverted - Etherscan (Jan 9, 2023)
  14. Ethereum Transaction - Attacker's Generous Donation - Etherscan (Jan 9, 2023)
  15. Ethereum Transaction - No block can be challenged - Etherscan (Jan 9, 2023)
  16. Ethereum Transaction - Successful - Etherscan (Jan 9, 2023)
  17. Ethereum Transaction From Near Protocol Deployer - Etherscan (Jan 9, 2023)
  18. AlexAuroraDev - "TL;DR: attack was stopped automatically, no bridged funds lost, attacker lost some money, bridge architecture was designed to resist such attacks, additional measures to be taken to ensure the cost of an attack attempt is increased" - Twitter (Jan 9, 2023)
  19. AlexAuroraDev - "This attack was absolutely similar to an attack on May 1st." - Twitter (Jan 9, 2023)
  20. Hackers Lose 5 Ether While Trying to Attack Near Protocol’s Rainbow Bridge - CoinDesk (Aug 23, 2022)

Cite error: <ref> tag with name "neardotorg-10202" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "neardotorg-10203" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "neardotorg-10204" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "etherscan-10205" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "youtube-10206" defined in <references> is not used in prior text.
Cite error: <ref> tag with name "101blockchains-10207" defined in <references> is not used in prior text.