What happened:
On November 4 (GMT+8) at 21:00 hrs Loopring was targeted with an aggressive DDoS attack. During the incident, the rate per second (RPS) was significantly increased. The Loopring gateway was unable to handle such an overwhelming volume of requests resulting in the unavailability of the services.
Timeline (GMT+8):
1) 21:00 Nov 4th our security and monitoring team identified unusual traffic and reported a DDoS attack. Loopring attempted to mitigate this by first shielding and limiting requests to reduce unnecessary traffic but at this point was unable to resolve the problem.
2) 22:07 Nov 4th Loopring contacted AWS security engineers for additional support.
3) 3:30 Nov 5th the backend services were restored with a decreased traffic limit.
4) 4:30 Nov 5th the cross-domain issues for web and loopring.io services were restored.
5) 8:56 Nov 5th monitoring continued and the normal traffic limit was restored.
6) 10:40 Nov 5th the domain access was reconfigured for the mobile app side and the Loopring wallet services were restored.
Q&A:
Q: Do DDoS attacks impact the security of Loopring assets?
A: Being a zkRollup, Loopring inherits complete Ethereum L1 security, as users can always withdraw their assets back to L1 with no permission needed. This DDoS attack only prevented Loopring from providing external services; it had no impact on the security of assets on Loopring. During the attack, the Loopring relayer continued to generate ZKP blocks and submitted them to the Ethereum blockchain. Such attacks will never affect or jeopardize users' assets on Loopring.
Q: Why is Loopring unable to shield its users from DDoS attacks completely?
A: Loopring’s first layer of shielding had performed well in the past from minor threats but it was less effective against this large-scale targeted DDoS attack. Although the team responded immediately to deal with this incident, it took some time working closely with the AWS security support teams to finally resolve all the issues. This event served as a good reminder to devote additional resources and layers of protection by leveraging AWS services. Loopring, in coordination with AWS, will implement a more robust security architecture for future challenges.
Q: How to mitigate future security threats?
A: The majority of Loopring's external services are built on AWS. Loopring will leverage AWS's security capability to better mitigate future potential security threats. Following this incident, Loopring will work more closely with AWS to identify risks and deploy improved shielding and protection, ensuring that our customers receive a robust service.
ABOUT LOOPRING
Loopring is an Ethereum Layer 2 zkRollup protocol for scalable, secure DeFi and NFT applications. Loopring builds non-custodial, high-performance products atop our L2, including the Loopring Wallet — a mobile Ethereum smart wallet, and the Loopring L2 web app — an L2 orderbook and AMM DEX. To learn more, follow us on Medium or see Loopring.org.