NEAR Protocol Bridge Takes 2.5 ETH from Its Attacker

Rainbow Bridge, a crypto protocol linking Ethereum to NEAR Protocol, successfully thwarted an attack last week.

NEAR Protocol (NEAR) is a fast, inexpensive Layer-1 blockchain that recently introduced its own US Dollar-pegged algo stablecoin, called USN. Rainbow Bridge is made by Aurora Labs. Following the attack on Rainbow Bridge, Aurora Labs CEO Alex Shevchenko created a Twitter thread detailing the failed attack and how his company turned a profit while preventing a disaster.

Last week, the attacker laundered ETH through Tornado Cash then attempted to use the ETH to become a relayer for Rainbow Bridge. The attacker attempted to fabricate a block then front-run Rainbow Bridge's relayer. This failed. Then the attacker tried to send a fake transaction with a block timestamped five hours in the future, and this succeeded.

Rainbow Bridge expects attacks like this, so it operates an automated watchdog. When the watchdog failed to find the transaction on the NEAR blockchain, it sent a challenge to the Ethereum blockchain.

The term "maximal extractable value," also called "miner extractable value" (MEV) "refers to the maximum value that can be extracted from block production in excess of the standard block reward and gas fees by including, excluding, and changing the order of transactions in a block." Operators create MEV bots that reorder and sometimes remove transactions from the block to maximize the operator's profits.

Rainbow Bridge operates its own MEV bots. When the MEV bots found the bad block, they determined they could also take 2.5 ETH while processing the attacker's block's alleged transactions. In the end, Rainbow Bridge's watchdog and MEV bots operated as intended. Shevchenko says the entire process of identifying and eliminating the threat was automated and that no other users' transactions or funds were affected.

In the future, Shevchenko plans to keep more of the relayer ETH in-contract, so that when attacks fail, Rainbow Bridge can capture more ETH for itself. The ETH they take from attackers now is said to be used for bug bounties and code audits.