Cointime

Download App
iOS & Android

On Nomad Theft: Security of Chain-to-Chain Bridge

Cointime Official

Another tragedy in the history of the Chain-to-Chain Bridge or Cross-Chain Bridge happened this August and the protagonist is Nomad Bridge. More than $190 million was stolen and the theft was turned into the largest and most chaotic "decentralized" heist in DeFi history.

As a new Chain-to-Chain Bridge launched this year, Nomad, with popular concepts such as cross-chain communication, has not only won the love of Coinbase Ventures, OpenSea, Polychain and other venture capital institutions, but also completed a $22 million of financing in April. It also quickly became the official Chain-to-Chain Bridge of EVMOS, Moonbeam, Milkomeda and other EVM public chains, and its lock-up volume quickly rose to nearly $200 million.

Still, no amount of endorsements is a safety net. Less than a week after the new list was released, hackers targeted Nomad and its total lock-up fell from $190 million to less than $2,000 in a matter of hours.

For a start-up project, tens of millions of dollars of financing can be regarded as the starting line to win. What is the advantage of Nomad in terms of team and design mechanism? And what vulnerabilities triggered the hack? What is the security of Chain-to-Chain Bridges we’re talking about today?

What does a Chain-to-Chain bridge tell us about the rapidly changing blockchain market?

Essentially, the initial overwhelming traffic driven by Ethereum is segmented bit by bit until a fragmented “value island" is formed. This phenomenon has become more and more evident in the past two years with the increase of the L2 projects. In essence, multi-chain coexistence is a new market pattern. As more public chains emerge, L2 projects continue to evolve and the corresponding ecosystem improves, the need for cross-chain asset transfers will explode.

However, at present, there are different types of assets and protocols on different public chains, which makes it impossible for them to communicate directly and that brings a lot of inconvenience to users.

The development of Chain-to-Chain technology makes it possible for users to interoperate between different blockchains, such as asset transactions and information exchange. The most widely used implementation is Chain-to-Chain bridge in the Web3 domain. This connection is important because without a blockchain “bridge”, blockchains would be isolated from each other, unable to communicate with each other.

What makes Nomad bridge stand out and win over those famous capitals?

Nomad is a security-first cross-chain messaging protocol whose goal is to provide connective tissue that enables end-users to securely interact across blockchains and developers to build cross-chain applications such as token bridges, native cross-chain assets, cross-chain governance applications, and more.

According to Nomad's official profile, members of its founding team have been involved in interoperability research for more than four years, and in 2017 several of them worked at Summa, a cross-chain interoperability R&D company.

Pranay Mohan, CEO and co-founder of Nomad, has 8 years of development experience. He started as a software engineer at IBM in 2014, and then co-founded software media company SE Daily. He has since worked at Snapchat, O(1) Labs, and Celo.

Nomad realized that while header relays or light client were theoretically considered the most secure way to build cross-chain bridges, they were not scalable and difficult to deploy across heterogeneous ecosystems. Light client require expertise in proof-of-work and proof-of-stake implementation and are not friendly to new developers.

Thus, Nomad, taking inspiration from Optimistic Rollups, is exploring ways to avoid light client and use fraud proofs in Optimistic Rollups to build a trust-minimizing bridge that is also easy to deploy in various ecosystems. As a result, Nomad expects to reduce gas fees by 90% compared to traditional block header relays. This is also an Optics design.

Nomad wants to provide a security-first interoperability solution where developers can securely build cross-chain applications (xApps) and bridge assets between chains. Currently, Nomad has launched the Nomad Token Bridge, which supports cross-chain assets on Ethereum, Moonbeam, and Milkomeda C1, with more chains to come.

With the security-first slogan, why this $190 million still occurred to Nomad?

Nomad Bridge was hacked on August 2 after bad actors discovered a security hole in Nomad smart contracts that enabled them to withdraw funds that did not belong to them through suspicious transactions.

According to the Slow fog analysis, this attack was caused by the fact that the trusted root of the Nomad bridge Replica contract was set to 0x0 during initialization, and the old root was not invalid when the trusted root was modified. As a result, the attack can construct any message to steal funds from the bridge.

In addition to professional analysis, there are also many people in the industry who have explained the attack in layman's terms. For example, @0x_Todd from Nothing Research said:

“Nomad had a trivial error in upgrading contracts, which resulted in ordinary people being able to hack, find past successful transactions, and then change the address and broadcast again. ”

However, the amount of money cannot be changed, so the hackers also wanted to steal one piece after another, which gave others an opportunity to grab the remaining Nomad assets, some even with ENS attached to them, such as ?? .eth this man robbed more than $3 million.

Samczsun, Paradigm partner, said:

“Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. You didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it.”

The very special point about this theft is that it was not caused by a single or several of hackers, but after the initial attacker attacked, hundreds of different accounts found this way and copied their way to get stolen funds.

Among the skepticism on the team, how does Nomad cope with the ‘most chaotic theft’?

The professionalism of the Nomad team was questioned during the theft.

At the beginning of the hack, the Nomad team said in the Discord community that they were investigating the case. At the time, about $100 million in assets had not yet been stolen from the Nomad contract address.

"The Nomad bridge is an upgradeable proxy contract. Why didn't the multisig block transactions when the slow-motion hack started?" "Says CrocSwap founder @0xdoug.

It's also worth noting that Nomad founder James Prestwich was accused of wrongdoing when he launched the project earlier this year. In November, the Celo public cross-chain bridge Optics was temporarily suspended. James Prestwich, the engineer at the time, was blamed for the incident.

Nomad was then offering a 10% reward to recover $190 million after it was hacked. Nomad has since issued a statement saying that whoever returns at least 90 per cent of the stolen tokens will be considered a so-called "white hat" -- a hacker whose goal is to find vulnerabilities rather than acquire them maliciously.

"We are not suing white hats," Nomad Chief Executive Pranay Mohan said in a statement. "But we will continue to work with our partners, intelligence firms and law enforcement to fully hold all other malicious actors accountable to the full extent of the law."

"If you haven’t yet returned funds, you can still do so now! Metagame checks your on-chain tx history automatically. "the Nomad team said via Twitter.

As of August 8, the white hat hackers had returned about $32.6 million of the total $190 million stolen, Cointelegraph reported.

BlockBeats news, on September 21, the cross-chain interoperability protocol Nomad released the cross-chain bridge restart update, called support restart made significant changes to the code, including vulnerability exploitation fixes, bridging GUI patches, processing recovered funds, etc., will be released after the completion of the audit code.

Back to technical solitons, Nomad stated that bridging recovered funds to madAssets is not a simple process, and users need to follow the following process:

1. The bridge. Bridging madAssets back into Ethereum results in an NFT that specifies the type and number of bridged assets.

2. Use an NFT (for example, 100 USDC). This NFT grants rights to a portion of the asset equivalent to a percentage of the recovered asset. In addition, users who are added to the whitelist will only be able to receive the recovered funds, the recovered funds will be accounted for by token, the tokens returned in different forms will be released, and Nomad will work with blockchain forensics companies to determine which tokens are affected.

Summary

Among the well-known cross-chain bridges, only Stargate, Hop Protocol, and Connext have not been successfully attacked so far. How long can they survive? Nomad provides a cross-chain solution that considers speed, cost, and network security by imitating optimistic system with fraud proof utilization. With complementary cooperation with cross-chain infrastructure such as Connext and later integration with other DEX protocols, Nomad may play a key role in interoperability solutions after it really learns the lesson from the historic theft.

Comments

All Comments

Recommended for you

  • Norway’s Wealth Fund Watchdog to Review Cryptocurrencies by 2025

    According to market news reported by , the supervisory authority of Norway's wealth fund will conduct reviews on shoe manufacturers, cryptocurrency, and gambling companies in 2025, which may lead to divestment.

  • SlowMist publishes over 4,000 DEXX victim addresses and corresponding attacker addresses on the EVM chain

    Yu Xian disclosed that SlowMist has published the addresses of more than 4000 victims and corresponding attacker addresses on the EVM (ETH/BSC/BASE) chain's DEXX. Last week, more than 8600 Solana addresses related to attackers were announced. The data comes from the official DEXX and submissions from thousands of victims.

  • OpenAI responds to Musk's lawsuit: The application is repeated and still unfounded

    recently Musk requested a US court to block OpenAI, an artificial intelligence research center, from illegally transforming into a for-profit enterprise. A spokesperson for OpenAI said that Musk's application is repetitive and still baseless.

  • Musk says SpaceX could be worth more than $1 trillion

    a netizen posted on social media platform X claiming that there are 9 companies in the world with a market value exceeding one trillion US dollars, of which 8 are American companies. In response, Musk replied that SpaceX may one day become one of them.

  • South Korea postpones cryptocurrency tax again until 2027

    at today's press conference, Park Chan-dae, the leader of the largest opposition party in South Korea, the Democratic Party of Korea, announced that they will abandon their plan to implement a cryptocurrency capital gains tax in 2025 and agree to postpone it for another two years until 2027. The proposal to "delay the cryptocurrency capital gains tax" was put forward by the South Korean government and the ruling party, the People Power Party. The Democratic Party of Korea previously stated that delaying taxation was a political trick of the ruling party.

  • Community feedback: On-chain AI agent Spectral interaction contract was hacked

    On December 1st, X user @RuslanMoody warned: "Do not interact with the on-chain AI agent Spectral website, as its interaction contract has been hacked. Note: this does not apply to tokens whose liquidity is locked on Uniswap." Additionally, X user @0xYong_W stated that the Spectral exchange has been "emptied" by someone else.

  • Japan's Financial Services Agency proposes relaxing reserve requirements for trust banks to issue stablecoins and implementing travel rules

    the Japanese Financial Services Agency (FSA) recently presented some ideas regarding cryptocurrencies and stablecoins to the Financial System Committee's Payment Services Working Group. It was mentioned that the FSA is unwilling to allow banks outside of trust banks to issue stablecoins. As for stablecoins issued by trust banks, the FSA hopes to relax the reserve requirements that currently mandate all assets be held in the form of bank deposits. However, the FSA also hopes to implement travel rules that require KYC for transfers of stablecoins issued by trust banks.

  • Security agency: Clipper lost more than $500,000 in attack, $6.5 million in funds at risk

    security organization fuzzland's co-founder shoucccc stated in a post on X that "DEX Clipper was attacked by hackers due to API vulnerabilities (such as private key leaks). Currently, the losses exceed 500,000 US dollars, and 6.5 million US dollars of funds are at risk. Users are advised to withdraw immediately."

  • Japan’s Financial Services Agency proposes lightweight legislation for non-exchange crypto intermediaries

    Japan is considering new lightweight legislation for cryptocurrency intermediaries that are not cryptocurrency exchanges. Recently, the Japanese Financial Services Agency (FSA) presented its own ideas to the Payment Service Working Group of the Financial System Committee.

  • DeFi TVL exceeds $95 billion again

    According to defillama data, as of May 18, 2024, the total value locked (TVL) in DeFi has once again surpassed $95 billion. It is currently reported at $95.069 billion, an increase of nearly $12 billion from the low point of $83.04 billion 35 days ago. Among the top five protocols in terms of TVL, Eigenlayer has the highest 30-day increase, with TVL rising by 19.67% to a total of $15.455 billion.