Nomad Bridge Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 11:05, 11 April 2023 by Azoundria (talk | contribs) (Down to 15 sources left to sort through. Working further on the article.)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Nomad Bridge Website

Nomad Bridge was a popular bridging platform between different blockchains. The smart contract was audited by Quantstamp and held over $190m. An upgrade to the smart contract allowed for anyone to replace a valid withdrawal transaction with their own address, and the transaction would succeed. Over the course of hours the entire contract was quickly drained. Some white hat attackers returned a total of $36m of what had been taken, in exchange for a 10% bounty.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]

About Nomad Bridge

"Nomad is a security-first cross-chain messaging protocol. By leveraging an optimistic mechanism, Nomad only requires one honest actor to keep the entire system safe."

"Secure Nomad allows off-chain watchers to challenge messages via fraud proofs, without relying on custodians or validators.

Gas-Efficient Nomad reduces gas fees by a factor of 10x relative to traditional header relay systems, while remaining decentralized.

Extensible Nomad smart contracts can be deployed quickly on any smart contract chain without requiring any custom logic."

"Nomad is a bridging protocol supporting Ethereum, Moonbeam, and other chains. Nomad’s bridging protocol is built using both on-chain and off-chain components. On-chain smart contracts are used to collect and distribute bridged funds while off-chain agents relay and verify messages between different blockchains. Each blockchain deploys a Replica contract which validates and stores messages in a Merkle tree structure. Messages can be validated by either providing proof with the proveAndProcess() call or for already verified messages they can be simply submitted with the process() call. Verified messages are forwarded to a Bridge handler (e.g. ERC20 Router) which can distribute bridged assets."

"Nomad enables applications to send data between blockchains (including rollups). Applications interact with Nomad core contracts to enqueue messages to be sent, after which off-chain agents verify and ferry these messages between chains. In order to ensure that message-passing is secure, Nomad uses an optimistic verification mechanism, inspired by fraud-proof based designs like optimistic rollups. This makes Nomad more secure, cheaper, and easier to deploy compared to validator / proof-of-stake based interoperability protocols."

"Nomad was audited by Quantstamp in June 2022."

"Because bridges offer a means of interoperability between multiple separate blockchain networks, they must hold large amounts of all tokens associated with each blockchain it bridges—thus creating a massive liquidity pool and an enticing target for hackers, whether that pool is managed by a centralized custodian or a smart-contract."

"According to Nomad’s post-mortem, an implementation bug in a June 21 smart contract upgrade caused the Replica contract to fail to authenticate messages properly. This issue meant that any message could be forged as long as it had not already been processed."

"Similar to the issue Theori had with Qubit, this is a path you don't expect just looking at it. "Why would they set 0 as a proof root?" is similar to "Why would they try to run address(0).transfer?""

"The first transactions started at Ethereum block 15259101 on August 1, 21:32:31 UTC. There were four relevant transactions within this same block, at indices 0, 1, 3, and 124. Each of these transactions drained 100 WBTC from the bridge."

"a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all"

"It turns out that during a routine upgrade, the Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case it had a tiny side effect of auto-proving every message"

"you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it"

"you just had to copy tx data and replace address lol"

"Nomad’s bridge got owned in a similar manner to Qubit’s QBridge. An insecure configuration of the bridge caused a specific path to allow any transaction sent. The error is inside the Replica’s “process” function."

"Nomad bridge getting rugged??? Looks very very sus"

"Not only was this hack one of the largest with over $190 million siphoned out of the Nomad liquidity pool, making it one of the more sizeable decentralized-finance (DeFi) hacks in history, but also one of the most chaotic as the technique used to steal funds required little technical knowledge, resulting in a fury of cash-grabbing copycats once news of the exploit spread on social media (Figure 1)."

"After a frenzied hack from hundreds of wallets, the bridge’s TVL dropped from $190,740,000 to $1,794 in mere hours. The hack involved a total of 960 transactions with 1,175 individual withdrawals from the bridge."

"The Security team at @a16z Crypto has investigated and found the root cause of the @nomadxyz_ bridge hack. Nothing to be done at this time except getting funds back from whitehats that drained preventively."

"Attention: White Hat Hacker Friends. Please return ETH or ERC-20 tokens to this wallet address: 0x94A84433101A10aEda762968f6995c574D1bF154"

"Nomad put forth a bounty following this hack—the bounty allowed attackers to keep 10 percent of their funds and face no legal action if the other 90 percent was returned. Oh, plus a Whitehat non-fungible token (NFT) as a thank you (Figure 2). Ultimately $36 million of the $190 million stolen was returned."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Nomad Bridge Hack
Date Event Description
August 1st, 2022 3:32:31 PM MDT First Malicious Transaction The first malicious transaction happens to drain funds from the bridge.
August 1st, 2022 3:37:00 PM MDT Twitter Mention of Events The suspicious withdrawal transactions are first posted to Twitter by user @spreekaway[16].
August 1st, 2022 3:46:00 PM MDT Events Shared To Telegram The tweet is reposted on Telegram, where it will shortly get the attention of samczsun[17].
August 1st, 2022 5:21:00 PM MDT Fbslo Reports Accidental Exploit Twitter user fbsloXBT reports accidentally exploiting the bridge and he "will return the funds asap"[18]. He clarified that it was really easy because "you just had to copy tx data and replace address lol"[19].
August 1st, 2022 5:45:00 PM MDT Samczsun Starts His Summary Well-known blockchain researcher samczsun posts an analysis of the situation. He describes the losses as "over $150m" and the situation as "one of the most chaotic hacks that Web3 has ever seen"[20].
August 1st, 2022 6:05:00 PM MDT Matt Gleason Publishes Root Cause A16z crypto researcher Matt Gleason publishes the root cause in a series of tweets[21], which are then spread through Twitter[22].
August 1st, 2022 6:17:00 PM MDT Samczsun Publishes Root Cause The cause is published as the routine upgrade completed by the Nomad team to initialize the "trusted root" to be 0x00[23].
August 1st, 2022 7:02:00 PM MDT Coach K Crypto Warning Coach K recommends everyone to "[d]on't use bridges" since "they aren't safe"[24].

Total Amount Lost

The total amount lost has been estimated at $190,740,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

Because the exploit required a very limited amount of technical knowledge to exploit, it was exploited widely, including by accident. Multiple analysis were published about the events in real-time, while the attack was going on, which only acted to accelerate the rate of asset depletion from the bridge.

Matt Gleason Publishes Analysis

Researcher for A16Z Matt Gleason published a summary of the the technical issue[21].

1/ Nomad’s bridge got owned in a similar manner to Qubit’s QBridge. An insecure configuration of the bridge caused a specific path to allow any transaction sent. The error is inside the Replica’s “process” function.

2/ Process is designed to ensure that a message has been proven, then processes the message, which should normally be fine.

3/ It does this using acceptableRoot, which will check that the root has either been proven or the it was confirmed before the current time.

4/ The problem occurs because in solidity if a map key hasn’t been seen before it will default to zero, resulting in attempting to confirm a root of zero. However, because they initialized with the confirmedRoot of 0, that means zero is technically a confirmed root.

5/ As a result, the system will accept any message that it has never seen before and process it as if it were genuine, meaning that all you need to do is ask for all the bridge’s money and you’ll get it.

Samczsun Publishes Analysis

Blockchain researcher samczsun was one of the first to start providing a full explanation of the events which unfolded and get to the root cause of the issue. His series of Tweets outlined his analysis in real-time as he composed it[20][17][23][25][26]:

1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow [him] to take you behind the scenes

2/ It all started [for him] when @officer_cia shared @spreekaway's tweet in the ETHSecurity Telegram channel. Although [he] had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign

3/ [His] first thought was that there was some misconfiguration for the token's decimals. After all, it seemed as though the bridge was running a "send 0.01 WBTC, get 100 WBTC back" promotion

4/ However, after some painful manual digging on the Moonbeam network, [he] confirmed that while the Moonbeam transaction did bridge out 0.01 WBTC, somehow the Ethereum transaction bridged in 100 WBTC

5/ Furthermore, the transaction to bridge in the WBTC didn't actually prove anything. It simply called `process` directly. Suffice to say, being able to process a message without proving it first is extremely Not Good

6/ At this point, there were two possibilities. Either the proof had been submitted separately in an earlier block, or there was something extremely wrong with the Replica contract. However, there was absolutely no indication that anything had been proven recently

7/ This left only one possibility - there was a fatal flaw within the Replica contract. But how? A quick look suggests that the message submitted must belong to an acceptable root. Otherwise, the check on line 185 would fail

8/ Fortunately, there's an easy way to sanity check this assumption. [He] knew that the root of a message which had not been proven would be 0x00, because messages[_messageHash] would be uninitialized. All [he] had to do was check whether the contract would accept that as a root

9/ Oops

10/ It turns out that during a routine upgrade, the Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case it had a tiny side effect of auto-proving every message

11/ This is why the hack was so chaotic - you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it

12/ tl;dr a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all

Community Reactions on Twitter

Coach K

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

A bounty of $3,600,000 USD was paid for the discovery.

Total Amount Recovered

The total amount recovered has been estimated at $36,000,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

All of the funds were placed in a hot wallet, when this could have been better secured by a multi-signature setup. Further reviews/audits of the smart contract could have been performed. Only one firm was used.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @mg_486662 Twitter (Apr 10, 2023)
  2. @mg_486662 Twitter (Apr 10, 2023)
  3. Audits - Nomad Docs (Apr 10, 2023)
  4. Nomad (Apr 10, 2023)
  5. Introduction - Nomad Docs (Apr 10, 2023)
  6. Nomad (Apr 10, 2023)
  7. Decentralized Robbery: Dissecting the Nomad Bridge Hack and Following the Money | Mandiant (Apr 10, 2023)
  8. The Nomad Bridge Hack: A Deeper Dive (Apr 10, 2023)
  9. Nomad Bridge Hack Root Cause Analysis (Apr 10, 2023)
  10. Hackers Return $9M to Nomad Bridge After $190M Exploit (Apr 10, 2023)
  11. https://www.coinbase.com/blog/nomad-bridge-incident-analysis (Apr 10, 2023)
  12. GitHub - nomad-xyz/hack-data: Data pertaining to the Nomad Bridge Hack (Apr 10, 2023)
  13. https://cexplorer.io/article/cardano-survives-nomad-bridge-hack (Apr 10, 2023)
  14. [theverge.com/2022/8/2/23288785/nomad-bridge-200-million-chaotic-hack-smart-contract-cryptocurrency theverge.com/2022/8/2/23288785/nomad-bridge-200-million-chaotic-hack-smart-contract-cryptocurrency] (Apr 10, 2023)
  15. Nomad crypto bridge loses $200 million in ‘chaotic’ hack - The Verge (Apr 10, 2023)
  16. spreekaway - "Nomad bridge getting rugged??? Looks very very sus" - Twitter (Apr 10, 2023)
  17. 17.0 17.1 samczsun - "It all started when @officer_cia shared @spreekaway's tweet in the ETHSecurity Telegram channel." - Twitter (Apr 11, 2023)
  18. fbsloXBT - "Accidently exploited Nomad bridge (for 17k), will return the funds asap" - Twitter (Apr 10, 2023)
  19. fbsloXBT - "you just had to copy tx data and replace address lol" - Twitter (Apr 10, 2023)
  20. 20.0 20.1 samczsun - "Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen." - Twitter (Apr 11, 2023)
  21. 21.0 21.1 Matt Gleason - "An insecure configuration of the bridge caused a specific path to allow any transaction sent." - Twitter (Apr 11, 2023)
  22. nassyweazy - "The Security team at @a16z Crypto has investigated and found the root cause of the @nomadxyz_ bridge hack." - Twitter (Apr 10, 2023)
  23. 23.0 23.1 samczsun - "It turns out that during a routine upgrade, the Nomad team initialized the trusted root to be 0x00." - Twitter (Apr 10, 2023)
  24. Coachkcrypto - "Don’t use bridges they aren’t safe!" - Twitter (Sep 22, 2022)
  25. samczsun - "All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast" - Twitter (Apr 10, 2023)
  26. samczsun - "Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all" - Twitter (Apr 10, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Nomad_Bridge_Hack&oldid=3300"