“The First Decentralized Heist”: Restoring Nomad’s Attack

At 7:00 on August 2, the encrypted KOL @0xfoobar tweeted that the cross-chain interoperability protocol Nomad bridge is being hacked, WETH and WBTC are being transferred out at a frequency of one million dollars each time, and there are still $126 million in the contract There may be risks. Users are reminded to withdraw funds as soon as possible. The most recent one saw 10,000 ethereum (about $16 million) transferred out, and another $80 million in USDC is flowing out of the Nomad bridge.

The official Nomad team stated that it is aware of the incident involving the Nomad Token Bridge and is currently investigating. Affected by the incident, Moonbeam stated that the Moonbeam network has entered maintenance mode to investigate security incidents of smart contracts deployed on the network. During this period, functionality will be limited and users will not be able to perform regular user transactions and smart contract interactions. The ability to govern, staking, unsuspend and upgrade will continue to work.

As of now, according to data from defillama, more than $190 million of cryptocurrencies in Nomad TVL have been withdrawn within a few hours, and only $5,336 remains in the wallet. Terra researcher FatMan commented on the attack, saying it was the first decentralized heist in true encryption.

X2Qvi0euqrZkH5NIm1sAdnTApqyxxVjR0VzXloSv.pngIn this regard, @samczsun, a researcher from investment institution Paradigm, tried to restore the whole process of the hacking attack:

1. It all started when @officer_cia shared a tweet on the @spreekaway ETH Security Telegram channel. Although it was not known at the time what was going on, the large amount of assets evacuated from the bridge was clearly a bad sign.

Image2. The first thought is that the decimal point configuration of the token is wrong. After all, the bridge seems to be running a “send 0.01 WBTC, get 100 WBTC back” promotion.

tHh8j5rhW2ovtFMl1H3gIHEZEel8nFjXNl8Gpg5Z.png3, However, after doing some manual mining on the Moonbeam network, it was confirmed that while the Moonbeam transaction did bridge 0.01 WBTC, the Ethereum transaction somehow bridged 100 WBTC.


picture4. Furthermore, the transactions bridged in WBTC don’t actually prove anything. It just calls `process` directly. Arguably, being able to process a message without first proving it is very bad


5. At this point, there are two possibilities. Either the proof was submitted separately in an earlier block, or the Replica contract has a serious bug. However, there is absolutely no indication that anything has been proven recently.

picture6. There is only one possibility left—the copy contract is fatally flawed. But how? A quick glance shows that the submitted message must belong to an acceptable root. Otherwise, the check on line 185 will fail.


7. Fortunately, there is an easy way to check this assumption. Knowing that the root of a message that is not authenticated is 0x00, because messages[_messageHash] will be uninitialized. All you have to do next is to check if the contract will accept it as a root.


8. It turns out that during a routine upgrade, the Nomad team initialized the root of trust to 0x00. To be clear, it is a common practice to use a zero value as an initialization value. Unfortunately in this case it has the minor side effect of automatically validating every message.

Image9. This is why hackers are so confusing – you don’t need to know about Solidity or Merkle Trees or anything like that. All you have to do is find a valid transaction, find/replace the other party’s address with your address, and rebroadcast it.

10. Routine upgrades mark the zero hash as a valid root, which has the effect of allowing messages to be spoofed on Nomad. Attackers abuse it to copy/paste transactions and quickly drain the bridge in frantic dogfights.

A16z application security member Matt Gleason tweeted why Nomad was attacked :

Nomad bridges are obtained in a similar fashion to Qubit’s QBridge. An insecure configuration of the bridge causes a specific path to allow any transaction to be sent. The error is in Replica’s “process” function.

Process is designed to ensure the message has been proven, and then process that message, which should generally be fine.


It does this using acceptableRoot, which will check if the root has been proven or confirmed before the current time.

pictureThis problem occurs because in solidity, if a map key has not been seen before, it will default to zero, causing an attempt to confirm that the root value is zero. However, since they are initialized with a confirmed Root of 0, this means that zero is technically a confirmed root.


So the system accepts any message it has never seen before and treats it as if it were real, which means all you need to do is ask for all the bridge money and you’ll get it.

Paradigm engineer @ParadigmEng420 tweeted to remind users that if they have any funds in Nomad, Evmos, Moonbeam, Milkomeda, they need to exchange nomadic assets and use a different cross-chain bridge to get back to Ethereum or another chain as soon as possible. He also noted that Nomad suspended the repeater and attempted to use observers to review all bridge transactions, however, this may not be helpful as the exploit is on the contract side and not on the infrastructure side.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/the-first-decentralized-heist-restoring-nomads-attack/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-08-02 10:51
Next 2022-08-02 10:53

Related articles