🧵 on the Rainbow Bridge attack today.
TL;DR: attack was stopped automatically, no bridged funds lost, attacker lost some money, bridge architecture was designed to resist such attacks, additional measures to be taken to ensure the cost of an attack attempt is increased
1 / 18
The bridge attacker:


got some ETH from Tornado to start the attack around 12h ago:

CC: @rstormsf
2 / 18
With these money he deployed a contract that meant to deposit some funds to become a valid Rainbow Bridge relayer and send the fabricated light client blocks:
3 / 18
He was trying to hit the moment to front run our relayer, but failed to do it:
4 / 18
After it, he decided to send the similar transaction with the block timestamp in the future (+5h), this transaction successfully substituted the previously submitted block:

5 / 18
In a short period one of the bridge watchdogs figured out that the block submitted is not in the NEAR blockchain; created a challenge transaction and sent it to Ethereum

6 / 18
Immediately, MEV bots detected this transaction and figured out that front-running it would result in 2.5 ETH gain, so they did exactly this:

7 / 18
As a result, watchdog transaction failed, MEV bot transaction succeeded and rolled back the fabricated block of the attacker. Some min after this, our relayer submitted a new block:

8 / 18
A bit later we started to investigate the strange behaviour and paused all the connectors. And once figured out the details, unpaused them back.
9 / 18
Outcome #1:
The attack was mitigated fully automatically, Rainbow Bridge users even didn't saw anything happening, continuing transacting in both directions.
10 / 18
Outcome #2:
Probably, the combination of the high Ethereum fees (and a delay of the block relaying) and a desire to check whether watchdogs are operational or not, were stimulating an attacker to break the bridge in that exact moment
11 / 18
For at least 6 months we knew that watchdog transaction would be front run by the MEV bots (reported by our auditors @sigp_io).
Main reason to keep this mechanics is the additional protection: MEV bots know how to get transactions executed ASAP.
12 / 18
Attacker lost 2.5 ETH, which was payed to the MEV bot because of the successful challenge.
13 / 18
Outcome #3:
We would redesign a bit the challenge payout mechanics, so the majority of the relayer stake is kept in the contract (so, lost to the attacker too), and some fixed amount payed to the watchdog (or MEV bot).
14 / 18
Outcome #4:
And also we would increase the stake for the relayer manyfold, so similar attempts would cost much more.

You can think of this as a slashing in the PoS.

Money that attackers would loose will be spent for bug bounties and additional audits.
15 / 18
For everyone's information:
I personally know about 5 watchdogs that are running 24/7. And no one in the world knows about all of them (a protection from the insiders). You can improve the security by simply running the watchdog script from

16 / 18
Every watchdog transaction, that would fail because of the front running will be rewarded with a portion of the attacker stake through the manual process. In case this happens, please send me a message.
17 / 18
I wish everyone who is innovating in the blockchain to pay enough attention to security and robustness of their products through all the available means: automatic systems, notifications, bug bounties, internal and external audits.
18 / 18
Aurora Labs is continuing doing our best to develop the most secure tech that is working in the heart of the @auroraisnear ecosystem.
Stay tuned.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Alex Shevchenko 🇺🇦

Alex Shevchenko 🇺🇦 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @AlexAuroraDev

Mar 15
The last three weeks introduced a drastic change in my life and I cannot be silent about it. Now I'm homeless, along with millions of others.
The thread is rough. But I have no other words for this. I cannot be polite when my people are dying.
First of all, many people are trying to check whether I'm alive. I am. And my family too. We moved out from Kharkiv on the second day of the invasion.

Till the 5 am of 24th of February I was not believing that the war will come. And then I've heard cruise missiles and seen bombs landing on my peaceful city.

Read 25 tweets
Feb 12, 2021
Some stats on the costs of fungible token NEAR <> Ethereum transfers over the #RainbowBridge. @NEARProtocol...
Ethereum -> NEAR transfer consists of 3 transactions:
1. Ethereum: Approve ERC20 transfer
2. Ethereum: Lock ERC20
3. NEAR: Finalise deposit (mint tokens)
Approve ERC20 transfer costs around 45,000 ETH Gas:
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!