Cointime

Download App
iOS & Android

On Nomad Theft: Security of Chain-to-Chain Bridge

Cointime Official

Another tragedy in the history of the Chain-to-Chain Bridge or Cross-Chain Bridge happened this August and the protagonist is Nomad Bridge. More than $190 million was stolen and the theft was turned into the largest and most chaotic "decentralized" heist in DeFi history.

As a new Chain-to-Chain Bridge launched this year, Nomad, with popular concepts such as cross-chain communication, has not only won the love of Coinbase Ventures, OpenSea, Polychain and other venture capital institutions, but also completed a $22 million of financing in April. It also quickly became the official Chain-to-Chain Bridge of EVMOS, Moonbeam, Milkomeda and other EVM public chains, and its lock-up volume quickly rose to nearly $200 million.

Still, no amount of endorsements is a safety net. Less than a week after the new list was released, hackers targeted Nomad and its total lock-up fell from $190 million to less than $2,000 in a matter of hours.

For a start-up project, tens of millions of dollars of financing can be regarded as the starting line to win. What is the advantage of Nomad in terms of team and design mechanism? And what vulnerabilities triggered the hack? What is the security of Chain-to-Chain Bridges we’re talking about today?

What does a Chain-to-Chain bridge tell us about the rapidly changing blockchain market?

Essentially, the initial overwhelming traffic driven by Ethereum is segmented bit by bit until a fragmented “value island" is formed. This phenomenon has become more and more evident in the past two years with the increase of the L2 projects. In essence, multi-chain coexistence is a new market pattern. As more public chains emerge, L2 projects continue to evolve and the corresponding ecosystem improves, the need for cross-chain asset transfers will explode.

However, at present, there are different types of assets and protocols on different public chains, which makes it impossible for them to communicate directly and that brings a lot of inconvenience to users.

The development of Chain-to-Chain technology makes it possible for users to interoperate between different blockchains, such as asset transactions and information exchange. The most widely used implementation is Chain-to-Chain bridge in the Web3 domain. This connection is important because without a blockchain “bridge”, blockchains would be isolated from each other, unable to communicate with each other.

What makes Nomad bridge stand out and win over those famous capitals?

Nomad is a security-first cross-chain messaging protocol whose goal is to provide connective tissue that enables end-users to securely interact across blockchains and developers to build cross-chain applications such as token bridges, native cross-chain assets, cross-chain governance applications, and more.

According to Nomad's official profile, members of its founding team have been involved in interoperability research for more than four years, and in 2017 several of them worked at Summa, a cross-chain interoperability R&D company.

Pranay Mohan, CEO and co-founder of Nomad, has 8 years of development experience. He started as a software engineer at IBM in 2014, and then co-founded software media company SE Daily. He has since worked at Snapchat, O(1) Labs, and Celo.

Nomad realized that while header relays or light client were theoretically considered the most secure way to build cross-chain bridges, they were not scalable and difficult to deploy across heterogeneous ecosystems. Light client require expertise in proof-of-work and proof-of-stake implementation and are not friendly to new developers.

Thus, Nomad, taking inspiration from Optimistic Rollups, is exploring ways to avoid light client and use fraud proofs in Optimistic Rollups to build a trust-minimizing bridge that is also easy to deploy in various ecosystems. As a result, Nomad expects to reduce gas fees by 90% compared to traditional block header relays. This is also an Optics design.

Nomad wants to provide a security-first interoperability solution where developers can securely build cross-chain applications (xApps) and bridge assets between chains. Currently, Nomad has launched the Nomad Token Bridge, which supports cross-chain assets on Ethereum, Moonbeam, and Milkomeda C1, with more chains to come.

With the security-first slogan, why this $190 million still occurred to Nomad?

Nomad Bridge was hacked on August 2 after bad actors discovered a security hole in Nomad smart contracts that enabled them to withdraw funds that did not belong to them through suspicious transactions.

According to the Slow fog analysis, this attack was caused by the fact that the trusted root of the Nomad bridge Replica contract was set to 0x0 during initialization, and the old root was not invalid when the trusted root was modified. As a result, the attack can construct any message to steal funds from the bridge.

In addition to professional analysis, there are also many people in the industry who have explained the attack in layman's terms. For example, @0x_Todd from Nothing Research said:

“Nomad had a trivial error in upgrading contracts, which resulted in ordinary people being able to hack, find past successful transactions, and then change the address and broadcast again. ”

However, the amount of money cannot be changed, so the hackers also wanted to steal one piece after another, which gave others an opportunity to grab the remaining Nomad assets, some even with ENS attached to them, such as ?? .eth this man robbed more than $3 million.

Samczsun, Paradigm partner, said:

“Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. You didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it.”

The very special point about this theft is that it was not caused by a single or several of hackers, but after the initial attacker attacked, hundreds of different accounts found this way and copied their way to get stolen funds.

Among the skepticism on the team, how does Nomad cope with the ‘most chaotic theft’?

The professionalism of the Nomad team was questioned during the theft.

At the beginning of the hack, the Nomad team said in the Discord community that they were investigating the case. At the time, about $100 million in assets had not yet been stolen from the Nomad contract address.

"The Nomad bridge is an upgradeable proxy contract. Why didn't the multisig block transactions when the slow-motion hack started?" "Says CrocSwap founder @0xdoug.

It's also worth noting that Nomad founder James Prestwich was accused of wrongdoing when he launched the project earlier this year. In November, the Celo public cross-chain bridge Optics was temporarily suspended. James Prestwich, the engineer at the time, was blamed for the incident.

Nomad was then offering a 10% reward to recover $190 million after it was hacked. Nomad has since issued a statement saying that whoever returns at least 90 per cent of the stolen tokens will be considered a so-called "white hat" -- a hacker whose goal is to find vulnerabilities rather than acquire them maliciously.

"We are not suing white hats," Nomad Chief Executive Pranay Mohan said in a statement. "But we will continue to work with our partners, intelligence firms and law enforcement to fully hold all other malicious actors accountable to the full extent of the law."

"If you haven’t yet returned funds, you can still do so now! Metagame checks your on-chain tx history automatically. "the Nomad team said via Twitter.

As of August 8, the white hat hackers had returned about $32.6 million of the total $190 million stolen, Cointelegraph reported.

BlockBeats news, on September 21, the cross-chain interoperability protocol Nomad released the cross-chain bridge restart update, called support restart made significant changes to the code, including vulnerability exploitation fixes, bridging GUI patches, processing recovered funds, etc., will be released after the completion of the audit code.

Back to technical solitons, Nomad stated that bridging recovered funds to madAssets is not a simple process, and users need to follow the following process:

1. The bridge. Bridging madAssets back into Ethereum results in an NFT that specifies the type and number of bridged assets.

2. Use an NFT (for example, 100 USDC). This NFT grants rights to a portion of the asset equivalent to a percentage of the recovered asset. In addition, users who are added to the whitelist will only be able to receive the recovered funds, the recovered funds will be accounted for by token, the tokens returned in different forms will be released, and Nomad will work with blockchain forensics companies to determine which tokens are affected.

Summary

Among the well-known cross-chain bridges, only Stargate, Hop Protocol, and Connext have not been successfully attacked so far. How long can they survive? Nomad provides a cross-chain solution that considers speed, cost, and network security by imitating optimistic system with fraud proof utilization. With complementary cooperation with cross-chain infrastructure such as Connext and later integration with other DEX protocols, Nomad may play a key role in interoperability solutions after it really learns the lesson from the historic theft.

Comments

All Comments

Recommended for you

  • Indonesia's Financial Services Authority to Regulate Crypto Industry in 2025 with Evaluation in Regulatory Sandbox

    Indonesia's Financial Services Authority (OJK) will take over regulation of the crypto industry from the commodities agency Bappebti. Crypto firms must undergo evaluation in a regulatory sandbox before being licensed to operate in the country. The OJK aims to prioritize consumer protection and education, and firms operating without evaluation in the sandbox will be considered illegal. The sandbox provides a safe and isolated environment for testing and innovation development, helping to enhance security and responsible management in the financial sector. Once under OJK's oversight, crypto assets will likely be reclassified as financial instruments.

  • The Shenzhen Illegal Fund Raising Prevention Office issued a risk warning on the "DDO digital options" business

    The Shenzhen Office for Preventing and Dealing with Illegal Fundraising issued a risk warning regarding the "DDO digital option" business. The activities related to the DDO digital option business conducted in the name of Dingyifeng International are essentially the issuance and trading of virtual currencies. According to the "Notice on Further Preventing and Dealing with Risks of Speculation in Virtual Currency Trading" jointly issued by ten departments including the People's Bank of China in September 2021, it is clear that virtual currency-related business activities are illegal financial activities, and overseas virtual currency exchanges providing services to residents within China are also illegal financial activities. The activities conducted by Dingyifeng International in the name of serving residents within China are suspected of illegal fundraising and other illegal financial activities. Our office has organized relevant departments to carry out work, resolutely deal with illegal fundraising and criminal activities, and seriously investigate the legal responsibilities of relevant personnel. (Shenzhen Local Financial Supervision and Administration Bureau)

  • The Hong Kong Legislative Council plans to review the relevant stable currency consultation and sandbox legislation at the end of this year or next year

    Hong Kong legislator Wu Jiezhuang revealed that Hong Kong will release stablecoin consultation and sandbox (computer security mechanism), which will allow the industry to innovate digital asset projects in the sandbox environment. Relevant legislation will be reviewed in the Legislative Council at the end of this year or next year, which will help the entire digital asset industry ecosystem. Hong Kong has been improving the digital asset (virtual asset) market on different legal levels. Last year, there were regulations on virtual currency trading platforms and issuance systems.

  • Vitalik: Humanity needs to create a world where blockchain and artificial intelligence work together

    Vitalik Buterin, the founder of Ethereum, stated at BiddleAsia 2024 held at Signiel Seoul in the Songpa district on March 28 that artificial intelligence is a huge market and its importance is increasing day by day. We need to create a world where blockchain and artificial intelligence work together. Artificial intelligence can now create applications with 100 to 500 lines of code. Vitalik also stated that the ability to write 10,000 lines of code can eliminate most of the bugs in the Ethereum virtual machine.

  • South Korean RWA blockchain technology development company PARAMETA completed a new round of financing of approximately US$7.5 million

    South Korean RWA blockchain technology development company PARAMETA announced the completion of a new round of financing of KRW 9 billion (approximately $7.5 million), with Shinhan Hyperconnect Investment Fund under Shinhan Venture Investment and Korea Asset Investment & Securities participating. As of now, the company's total financing has reached KRW 25 billion (approximately $20.8 million). PARAMETA plans to use this investment to expand its own blockchain technology research and development capabilities to meet RWA technology needs and expand from core technologies such as engines/chains to service applications. Relevant services are expected to be launched within the year.

  • Incheon, South Korea launches blockchain hub city

    South Korea announced on the 28th that it will establish a blockchain technology innovation support center in the Songdo Michu Building in the second half of this year. Incheon was finally selected as a participant in the "2024 Regional Blockchain Technology Innovation Support Center Construction Project" jointly organized by the Korean Ministry of Science, ICT and Future Planning and the Korea Internet & Security Agency (KISA). Incheon is the third region to be selected after Busan and Daegu. In February last year, Incheon established a dedicated blockchain department and formulated a four-year plan to create a blockchain center city, which was promised by Incheon Mayor Liu Zhengfu. After being selected, Incheon will receive KRW 1.8 billion in government funding.

  • BTC breaks through $70,000

    The market shows that BTC has broken through $70,000 and is now reporting at $70,003.6. The intraday decline has reached 0.58%, and the market fluctuation is large. Please be prepared for risk control.

  • Base TVL exceeded US$3 billion, with an increase of 71.79% in the past 7 days

    According to the latest data from L2beat, supported by cryptocurrency exchange Coinbase, the total locked value (TVL) on the Base chain, a layer 2 solution for Ethereum, has surpassed $3 billion. At the time of writing, it has dropped to $2.99 billion, with a 7-day increase of 71.79%, reaching a new historical high.

  • Ethereum liquidity re-pledge agreement TVL exceeds US$7.4 billion, continuing to hit new highs

    According to DeFiLlama data, the total value locked (TVL) in Ethereum's liquidity re-staking protocol has reached a new high of $7.406 billion. The top five protocols ranked by TVL are:

  • Web3 gaming platform Elixir Games completes $14 million in seed round financing

    Web3 gaming platform Elixir Games has received a $14 million investment in its seed round of funding, with investors including gaming giant Square Enix, Shima Capital, and the Solana Foundation. This funding round will bring Elixir Games' total funding to $20 million. The company plans to use this funding to develop its gaming ecosystem, with plans to launch in the second quarter of 2024 and support the launch of its ELIX token in its gaming products.