Security

How a crypto bridge bug led to a $200m 'decentralized crowd looting'

Flash mob exploits Nomad's validation code blunder


Cryptocurrency bridge service Nomad, which describes itself as "an optimistic interoperability protocol that enables secure cross-chain communication," has been drained of tokens notionally worth $190.7 million if exchanged for US dollars.

"We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics," the biz said via Twitter. "Our goal is to identify the accounts involved and to trace and recover the funds."

Nomad allows cryptocurrency holders to trade their tokens across different blockchains, the distributed public ledgers used to track crypto assets.

Bridge services of this sort represent a known security risk among those who trade tokens. Here's Ethereum co-founder Vitalik Buterin musing on Reddit about the "fundamental security limits of bridges."

And here are some recently hacked bridges: Ronin Bridge ($600 million); Qubit Bridge ($80 million); Wormhole Bridge ($320 million); Meter.io Bridge ($4.4 million); and Poly Network Bridge ($610 million that was returned).

Finally, here's James Prestwich, talking to Wired in April: "Any capital on-chain is subject to attack 24/7/365, so bridges will always be a popular target."

Prestwich is the founder and CTO at Nomad.

According to Paradigm security researcher "samczsun," Nomad was exploited as a result of a bug in what people – some without a hint of irony – call a "smart contract."

Coincidentally, this bug appears to have been cited among a number of flaws identified in a June 6, 2022 security audit [PDF] of Nomad's code.

Identified as "QSP-19 Proving With An Empty Leaf," the report calls out a validation check that accepts an empty bytes32 value and recommends: "Validate that the _leaf input of the function Replica.sol:prove is not empty."

Nomad's response to this recommendation was to dismiss it, to which the auditor responded, "We believe the Nomad team has misunderstood the issue."

The insufficiently validated code appears to reside within the process() function in the Nomad ERC20 Bridge Contract (Replica.sol:process), in a portion of the program that serves a similar purpose as the prove() function cited in the audit report. It's intended to accept an input value and see if it's part of a Merkle tree, a tree-like data structure that stores the hashed data values in its leaf nodes. The code is supposed to check messages to see if they contain a valid Merkle root.

However, the Nomad team apparently initialized the trusted root with the value 0x00, which had the effect of validating every message.

All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it

The hack made possible by this mistake proved so simple that after the initial attack, several dozen addresses conducted copycat thefts by copying transactions and inserting their addresses to receive funds. Hence, the incident has been described as "decentralized crowd looting," though really the term "decentralized finance" or DeFi implies as much.

"This is why the hack was so chaotic – you didn't need to know about Solidity or Merkle Trees or anything like that," explained "samczsu" via Twitter. "All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it."

Nomad meanwhile expects to get at least some of the stolen tokens back, on the assumption that certain robbers engaged in protective pilfering to deplete funds so that the less charitable might not have them. In keeping with its self-applied descriptor "optimistic," the crypto biz has thanked "our many white hat friends who acted proactively and are safeguarding funds." ®

Send us news
24 Comments

Canva acquires Affinity, further wounding a regulator-bruised Adobe

Yet another reason to reconsider that overpriced Creative Cloud subscription

Mozilla fixes $100,000 Firefox zero-days following two-day hackathon

Users may have to upgrade twice to protect their browsers

Good news: HMRC offers a Linux version of Basic PAYE Tools. Bad news: It broke

Python 2 has been dead for four years

Flox rocks the Nix box by conquering code chaos

FOSS CLI package management framework for repeatable, declarative deployments across multiple platforms

Cyberattack gifts esports pros with cheats, forcing Apex Legends to postpone tournament

Virtual gunslingers forcibly became cheaters via mystery means

That Asian meal you eat on holidays could launder money for North Korea

United Nations finds IT contract and crypto scams are just two of DPRK's illicit menu items

Licensing labyrinth for Power Apps and Dynamics 365 must be clarified, warns expert

Rules still unclear for Microsoft users making potentially costly decisions on enterprise applications

Crypto scams more costly to the US than ransomware, Feds say

Latest figures paint grim picture of how viciously the elderly are targeted

Voltron Data revs up hyper-speed analytics, leaves Snowflake in the dust

GPU-based system offers high performance off Parquet files

US sanctions spree continues with 15 more for Russian entities

Financial firms that help evade existing restrictions in crosshairs

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

After threatening to block Binance for months, Philippines does the deed

Points out scofflaw crypto outfit needs a license
BREAKING NEWS: FTX crypto-crook Sam Bankman-Fried gets 25 years in prison