🧡 on the Rainbow Bridge attack during the weekend
TL; DR: similar to May attack; no user funds lost; attack was mitigated automatically within 31 seconds; attacker lost 5 ETH.
1/15 The rainbow bridge is based on trustless assumptions with no selected middleman to transfer messages or assets between chains. Because of this, anyone can interact with its' smart contracts, including the NEAR light client: etherscan.io/address/0x3be7…
2/15 Usually, it's Rainbow bridge relayers, who submit the info on NEAR blocks to Ethereum. However, sometimes others are doing this. Unfortunately, usually with bad intentions.
3/15 The incorrectly submitted information to the NEAR Light Client may result in the loss of all funds on the bridge. That's why this step is secured with the most solid thing: a consensus of NEAR validators.
4/15 And if someone tries to submit incorrect info, then it would be challenged by independent watchdogs, who also observe NEAR blockchain.
You may want to read more on how Rainbow Bridge works, check out this article: near.org/bridge/
5/15 Over the weekend an attacker submitted a fabricated NEAR block to the Rainbow Bridge contract: etherscan.io/tx/0x289c589fb…
During a transaction, a safe deposit of 5 ETH was required.
6/15 The transaction was successfully submitted in the Ethereum blockchain in the block 15378741 on Aug-20-2022 04:49:19 PM +UTC.
Note the time of attack: an attacker was hoping that it would be complicated to react on the attack early Saturday morning.
7/15 However, no reaction from humans was required. Automated watchdogs were challenging the malicious transaction, which resulted in an attacker loosing his safe deposit:
8/15 And the reaction was taking only 31 seconds (4 Ethereum blocks)
9/15 This attack was absolutely similar to an attack on May 1st. Read more about it here:
10/15 And though attacker was hoping that our security team won't be available, in fact it was. After notifications on strange activities, within 1h the team was checking that everything is OK and was going back to sleep without disturbing myself or the users.
11/15 There are still several important things to mention:
First, we have been thinking of increasing the safe deposit (to reduce the number of attacks), but discarded this idea. The reason -- it would make the bridge more permissioned and we fight for decentralization.
12/15 Second, the security is in the hearts of Aurora Labs team and that's the reason why we have alerts, automatic systems, audits and bug bounties.
In fact we payed out the second largest bug bounty in the world to secure our users!
13/15 Third, to all the builders in web3, there's no way you can omit attack attempts. Please, make sure that you have enough systems in place to mitigate these attacks.
My heart is bleeding when I see great builders unfortunately failing because of these.
14/15 And forth, dear attacker, it's great to see the activity from your end, but if you actually want to make something good, instead of stealing users money and having lots of hard time trying to launder it; you have an alternative -- the bug bounty:
15/15 If you want to know more stats on the Rainbow Bridge, please refer to @zacodil's dashboard:
I hope you've found this thread informative.

Follow me @AlexAuroraDev for more.
Like/Retweet the first tweet below if you find it useful:
You can read the unrolled version of this thread here: typefully.com/AlexAuroraDev/…

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Alex Shevchenko πŸ‡ΊπŸ‡¦

Alex Shevchenko πŸ‡ΊπŸ‡¦ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @AlexAuroraDev

Aug 7
You don't need to be born as L2, you can become an L2.

This is a thread about L2s, bridges and why Aurora architecture allows it to be treated as one of the best-designed Ethereum scalability solutions.
1/19 First, let's start with an L2 definition. I will use the most common one from @l2beat: an L2 is a chain that fully or partially derives its security from L1 Ethereum.
In short, zkSynk, Arbitrum and Optimism are L2s; Polygon is not.
2/19 To put another perspective on L2s: in order to break an L2 you would need to break Ethereum. If it's not the case, then this is not an L2.
Read 22 tweets
May 21
A thread on clarifications around Aurora+ (A+) and it's functionality.
No TL;DR -- many different topics
1 / 24
If you didn't yet see the keynote, please spend 20 min on it. It really helps to understand what A+ is and where it is going.
2 / 24
A+ is not a new network. It is a specific way to connect to Aurora. A+ is able to deliver additional benefits to the users (free txs, convenient staking interface).
Read 25 tweets
May 9
🧡 This is a thread on the value accrual mechanisms for tokens.
TL; DR: network fees and forcing users to buy the base token have nothing in common with the value accrual; the value is in the ecosystem; AURORA staking helps distributing the value Image
1 / 23
I'll start with a disclaimer: everything that I write in my twitter threads is my personal opinion. Aurora protocol and AURORA token is managed by the Aurora DAO. Aurora Labs controls around 7.7% of the DAO decisions. Please make sure you understand the difference.
2 / 23
I sometimes see the critique of Aurora not forcing users to buy AURORA tokens to pay for the gas fees. These people usually think, that such a decision would bring a lot of value to AURORA token and make its' price skyrocket.
Read 24 tweets
May 6
0/ 15
Great report by @Delphi_Digital !
However, for those who like to dig into details (and read the report), I have some additional insights.
1 / 15
First of all, Delphi mentions that $NEAR is the ultimate token that accrues value.
I disagree with this point. On Ethereum $ETH accrues value, right? And then it is sold by miners into USD to pay the electricity bills. No problem in this, right?
2 / 15
On Aurora it is the same: users are paying $ETH to relayers, while latter occasionally sell it into $NEAR to pay for the transaction execution (since they need to pay $NEAR to the protocol). It's absolutely the same.
Read 16 tweets
May 1
🧡 on the Rainbow Bridge attack today.
TL;DR: attack was stopped automatically, no bridged funds lost, attacker lost some money, bridge architecture was designed to resist such attacks, additional measures to be taken to ensure the cost of an attack attempt is increased
1 / 18
The bridge attacker:


got some ETH from Tornado to start the attack around 12h ago:

CC: @rstormsf
2 / 18
With these money he deployed a contract that meant to deposit some funds to become a valid Rainbow Bridge relayer and send the fabricated light client blocks:
Read 19 tweets
Mar 15
The last three weeks introduced a drastic change in my life and I cannot be silent about it. Now I'm homeless, along with millions of others.
The thread is rough. But I have no other words for this. I cannot be polite when my people are dying.
First of all, many people are trying to check whether I'm alive. I am. And my family too. We moved out from Kharkiv on the second day of the invasion.

Till the 5 am of 24th of February I was not believing that the war will come. And then I've heard cruise missiles and seen bombs landing on my peaceful city.

Read 25 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!