Aurora Labs Pays $2M to Hackers Who Found Two Vulnerabilities
The Aurora Labs team received in June two bug reports with critical vulnerabilities identified. The company paid the maximum rewards to the authors of the reports, which is $1 million each in Aurora (AURORA) tokens.
According to the company developers, the first vulnerability concerns the logic of the NEAR Rainbow Bridge cross-chain bridge for transferring assets between Ethereum and Aurora via NEAR. A hacker could trick the Aurora Engine into generating a fake token burn proof, provide it to the bridge, and steal the funds from the vault.
Aurora Labs has banned the Aurora Engine from outputting data that looks like burn proof. The team continues to work on a long-term and more robust proof of balance solution.
The second vulnerability is related to the transfer of tokens from Ethereum to Aurora. The attacker could send wrapped tokens to the recipient and charge the recipient up to 18.4 ETH.