• BTC $16819.32 0.09 %
  • ETH $1232.11 0.18 %
  • BCH $109.50 0.00 %
  • SOL $13.62 0.00 %
  • XRP $0.38 0.13 %
  • BNB $283.40 0.14 %

On Nomad Theft: Security of Chain-to-Chain Bridge

Cointime Staff· 7 min read

Another tragedy in the history of the Chain-to-Chain Bridge or Cross-Chain Bridge happened this August and the protagonist is Nomad Bridge. More than $190 million was stolen and the theft was turned into the largest and most chaotic "decentralized" heist in DeFi history.

As a new Chain-to-Chain Bridge launched this year, Nomad, with popular concepts such as cross-chain communication, has not only won the love of Coinbase Ventures, OpenSea, Polychain and other venture capital institutions, but also completed a $22 million of financing in April. It also quickly became the official Chain-to-Chain Bridge of EVMOS, Moonbeam, Milkomeda and other EVM public chains, and its lock-up volume quickly rose to nearly $200 million.

Still, no amount of endorsements is a safety net. Less than a week after the new list was released, hackers targeted Nomad and its total lock-up fell from $190 million to less than $2,000 in a matter of hours.

For a start-up project, tens of millions of dollars of financing can be regarded as the starting line to win. What is the advantage of Nomad in terms of team and design mechanism? And what vulnerabilities triggered the hack? What is the security of Chain-to-Chain Bridges we’re talking about today?

What does a Chain-to-Chain bridge tell us about the rapidly changing blockchain market?

Essentially, the initial overwhelming traffic driven by Ethereum is segmented bit by bit until a fragmented “value island" is formed. This phenomenon has become more and more evident in the past two years with the increase of the L2 projects. In essence, multi-chain coexistence is a new market pattern. As more public chains emerge, L2 projects continue to evolve and the corresponding ecosystem improves, the need for cross-chain asset transfers will explode.

However, at present, there are different types of assets and protocols on different public chains, which makes it impossible for them to communicate directly and that brings a lot of inconvenience to users.

The development of Chain-to-Chain technology makes it possible for users to interoperate between different blockchains, such as asset transactions and information exchange. The most widely used implementation is Chain-to-Chain bridge in the Web3 domain. This connection is important because without a blockchain “bridge”, blockchains would be isolated from each other, unable to communicate with each other.

What makes Nomad bridge stand out and win over those famous capitals?

Nomad is a security-first cross-chain messaging protocol whose goal is to provide connective tissue that enables end-users to securely interact across blockchains and developers to build cross-chain applications such as token bridges, native cross-chain assets, cross-chain governance applications, and more.

According to Nomad's official profile, members of its founding team have been involved in interoperability research for more than four years, and in 2017 several of them worked at Summa, a cross-chain interoperability R&D company.

Pranay Mohan, CEO and co-founder of Nomad, has 8 years of development experience. He started as a software engineer at IBM in 2014, and then co-founded software media company SE Daily. He has since worked at Snapchat, O(1) Labs, and Celo.

Nomad realized that while header relays or light client were theoretically considered the most secure way to build cross-chain bridges, they were not scalable and difficult to deploy across heterogeneous ecosystems. Light client require expertise in proof-of-work and proof-of-stake implementation and are not friendly to new developers.

Thus, Nomad, taking inspiration from Optimistic Rollups, is exploring ways to avoid light client and use fraud proofs in Optimistic Rollups to build a trust-minimizing bridge that is also easy to deploy in various ecosystems. As a result, Nomad expects to reduce gas fees by 90% compared to traditional block header relays. This is also an Optics design.

Nomad wants to provide a security-first interoperability solution where developers can securely build cross-chain applications (xApps) and bridge assets between chains. Currently, Nomad has launched the Nomad Token Bridge, which supports cross-chain assets on Ethereum, Moonbeam, and Milkomeda C1, with more chains to come.

With the security-first slogan, why this $190 million still occurred to Nomad?

Nomad Bridge was hacked on August 2 after bad actors discovered a security hole in Nomad smart contracts that enabled them to withdraw funds that did not belong to them through suspicious transactions.

According to the Slow fog analysis, this attack was caused by the fact that the trusted root of the Nomad bridge Replica contract was set to 0x0 during initialization, and the old root was not invalid when the trusted root was modified. As a result, the attack can construct any message to steal funds from the bridge.

In addition to professional analysis, there are also many people in the industry who have explained the attack in layman's terms. For example, @0x_Todd from Nothing Research said:

“Nomad had a trivial error in upgrading contracts, which resulted in ordinary people being able to hack, find past successful transactions, and then change the address and broadcast again. ”

However, the amount of money cannot be changed, so the hackers also wanted to steal one piece after another, which gave others an opportunity to grab the remaining Nomad assets, some even with ENS attached to them, such as ?? .eth this man robbed more than $3 million.

Samczsun, Paradigm partner, said:

“Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. You didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it.”

The very special point about this theft is that it was not caused by a single or several of hackers, but after the initial attacker attacked, hundreds of different accounts found this way and copied their way to get stolen funds.

Among the skepticism on the team, how does Nomad cope with the ‘most chaotic theft’?

The professionalism of the Nomad team was questioned during the theft.

At the beginning of the hack, the Nomad team said in the Discord community that they were investigating the case. At the time, about $100 million in assets had not yet been stolen from the Nomad contract address.

"The Nomad bridge is an upgradeable proxy contract. Why didn't the multisig block transactions when the slow-motion hack started?" "Says CrocSwap founder @0xdoug.

It's also worth noting that Nomad founder James Prestwich was accused of wrongdoing when he launched the project earlier this year. In November, the Celo public cross-chain bridge Optics was temporarily suspended. James Prestwich, the engineer at the time, was blamed for the incident.

Nomad was then offering a 10% reward to recover $190 million after it was hacked. Nomad has since issued a statement saying that whoever returns at least 90 per cent of the stolen tokens will be considered a so-called "white hat" -- a hacker whose goal is to find vulnerabilities rather than acquire them maliciously.

"We are not suing white hats," Nomad Chief Executive Pranay Mohan said in a statement. "But we will continue to work with our partners, intelligence firms and law enforcement to fully hold all other malicious actors accountable to the full extent of the law."

"If you haven’t yet returned funds, you can still do so now! Metagame checks your on-chain tx history automatically. "the Nomad team said via Twitter.

As of August 8, the white hat hackers had returned about $32.6 million of the total $190 million stolen, Cointelegraph reported.

BlockBeats news, on September 21, the cross-chain interoperability protocol Nomad released the cross-chain bridge restart update, called support restart made significant changes to the code, including vulnerability exploitation fixes, bridging GUI patches, processing recovered funds, etc., will be released after the completion of the audit code.

Back to technical solitons, Nomad stated that bridging recovered funds to madAssets is not a simple process, and users need to follow the following process:

1. The bridge. Bridging madAssets back into Ethereum results in an NFT that specifies the type and number of bridged assets.

2. Use an NFT (for example, 100 USDC). This NFT grants rights to a portion of the asset equivalent to a percentage of the recovered asset. In addition, users who are added to the whitelist will only be able to receive the recovered funds, the recovered funds will be accounted for by token, the tokens returned in different forms will be released, and Nomad will work with blockchain forensics companies to determine which tokens are affected.


Among the well-known cross-chain bridges, only Stargate, Hop Protocol, and Connext have not been successfully attacked so far. How long can they survive? Nomad provides a cross-chain solution that considers speed, cost, and network security by imitating optimistic system with fraud proof utilization. With complementary cooperation with cross-chain infrastructure such as Connext and later integration with other DEX protocols, Nomad may play a key role in interoperability solutions after it really learns the lesson from the historic theft.

# DeFi

All Comments