In June 2022, the Aurora Labs team received two bug reports detailing critical vulnerabilities. It paid the authors the maximum rewards — $1 million in Aurora (AURORA) tokens. This is reported in the team’s blog.
The first vulnerability concerns the cross-chain NEAR Rainbow Bridge logic for moving assets between Ethereum and Aurora via NEAR. A hacker could fool the Aurora Engine into generating a forged burn proof, present it to the bridge, and steal funds from the vault.
Aurora Labs prohibited the Aurora Engine from emitting data resembling a burn proof. The team continues to work on a long-term, more reliable solution based on balance-state proofs.
The second vulnerability related to transferring tokens from Ethereum to Aurora. An attacker could send wrapped tokens to the recipient and deduct a commission of up to 18.4 ETH from the recipient.
Under the design, this fee allowed transferring tokens from Ethereum to Aurora via Rainbow Bridge without a NEAR wallet connected. However, before the vulnerability was discovered, the fee was not usable because bridge operations were subsidized by the Aurora validator on NEAR. Aurora Labs banned setting the fee above zero.
Aurora — EVM-blockchain built on the NEAR protocol. Its development is led by Aurora Labs, which includes the creators of NEAR itself. More 185 projects have migrated or announced a move to Aurora: 1inch, SushiSwap, DAI, Brave and others.
In April 2022, Aurora Labs launched a bug bounty program for vulnerabilities in the protocol, smart contracts and app sites. Rewards range from $1,000 to $1 million depending on the level of severity.
On August 20, a hacker unsuccessfully attacked the NEAR Rainbow Bridge and lost 5 ETH.
Follow ForkLog’s Bitcoin news in our Telegram — cryptocurrency news, rates and analysis.