How a crypto bridge bug led to a $200m 'decentralized crowd looting'

Flash mob exploits Nomad's validation code blunder

Cryptocurrency bridge service Nomad, which describes itself as "an optimistic interoperability protocol that enables secure cross-chain communication," has been drained of tokens notionally worth $190.7 million if exchanged for US dollars.

"We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics," the biz said via Twitter. "Our goal is to identify the accounts involved and to trace and recover the funds."

Nomad allows cryptocurrency holders to trade their tokens across different blockchains, the distributed public ledgers used to track crypto assets.

Bridge services of this sort represent a known security risk among those who trade tokens. Here's Ethereum co-founder Vitalik Buterin musing on Reddit about the "fundamental security limits of bridges."

And here are some recently hacked bridges: Ronin Bridge ($600 million); Qubit Bridge ($80 million); Wormhole Bridge ($320 million); Meter.io Bridge ($4.4 million); and Poly Network Bridge ($610 million that was returned).

Finally, here's James Prestwich, talking to Wired in April: "Any capital on-chain is subject to attack 24/7/365, so bridges will always be a popular target."

Prestwich is the founder and CTO at Nomad.

According to Paradigm security researcher "samczsun," Nomad was exploited as a result of a bug in what people – some without a hint of irony – call a "smart contract."

Coincidentally, this bug appears to have been cited among a number of flaws identified in a June 6, 2022 security audit [PDF] of Nomad's code.

Identified as "QSP-19 Proving With An Empty Leaf," the report calls out a validation check that accepts an empty bytes32 value and recommends: "Validate that the _leaf input of the function Replica.sol:prove is not empty."

Nomad's response to this recommendation was to dismiss it, to which the auditor responded, "We believe the Nomad team has misunderstood the issue."

The insufficiently validated code appears to reside within the process() function in the Nomad ERC20 Bridge Contract (Replica.sol:process), in a portion of the program that serves a similar purpose as the prove() function cited in the audit report. It's intended to accept an input value and see if it's part of a Merkle tree, a tree-like data structure that stores the hashed data values in its leaf nodes. The code is supposed to check messages to see if they contain a valid Merkle root.

However, the Nomad team apparently initialized the trusted root with the value 0x00, which had the effect of validating every message.

All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it

The hack made possible by this mistake proved so simple that after the initial attack, several dozen addresses conducted copycat thefts by copying transactions and inserting their addresses to receive funds. Hence, the incident has been described as "decentralized crowd looting," though really the term "decentralized finance" or DeFi implies as much.

"This is why the hack was so chaotic – you didn't need to know about Solidity or Merkle Trees or anything like that," explained "samczsu" via Twitter. "All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it."

Nomad meanwhile expects to get at least some of the stolen tokens back, on the assumption that certain robbers engaged in protective pilfering to deplete funds so that the less charitable might not have them. In keeping with its self-applied descriptor "optimistic," the crypto biz has thanked "our many white hat friends who acted proactively and are safeguarding funds." ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022