Nomad Bridge Hack: Explained & Risks of Cross-Chain Applications

Community sourced content

The most popular Ethereum to Moonbeam bridge suffered an exploit due to a mistake in the smart contract. The attackers have drained $ 190M from the bridge contract.

TL;DR

  • On August 1st, 2022 the Nomad bridge suffered an exploit, which resulted in a loss of $190M.
  • The vulnerability allowed attackers to bypass the message verification process and they drained the tokens from the bridge contract plummeting the balance to about $12k.
  • This essentially made it possible for exploiters to deposit for example 0.01 WBTC on one chain and receive 100 WBTC on the other.
  • The vulnerability was caused by the initialization process, where the “committedRoot” is set as empty bytes32. Through the initialization made by the developers of this variable, it is possible to pass unverified messages with zero content (empty bytes32 corresponds to 32 zeros). This means that it is not necessary to prove that you have deposited a quantity of tokens on a chain; therefore it is possible to withdraw an arbitrary quantity of cryptos from the bridge, draining the funds.

What is Nomad?

Nomad is an optimistic interoperability protocol that enables secure cross-chain communication. In particular, it is a protocol for sending arbitrary messages between blockchains, including rollups.

Nomad separates the transport and application layers so that developers can deploy cross-chain applications (xApps), without having to know how the cross-chain transport layer works. They just need to implement send & receive functions.

Nomad allows the development of different applications:

  • bridge tokens between chains;
  • deploy tokens across chains;
  • execution of DAO’s cross-chain governance proposals;
  • build native cross-chain applications, the xApps.

In order to ensure that the passage of messages is secure, Nomad uses an optimistic verification mechanism, inspired by fraud-proof based designs such as optimistic rollups. This makes Nomad safer, cheaper and easier to implement than proof-of-stake interoperability protocols. An optimistic verification mechanism is slightly weaker in security than natively verified systems, but it is more cost-efficient, simpler and easy to deploy. It is more complex than a multi-sig or other externally verified systems, but it is more trust-minimized and offers greater security.

The Nomad protocol’s most important use case is bridging tokens between Ethereum, Moonbeam, Avalanche, Evmos and Milkomeda. There are two front-ends that have integrated with Nomad: Connext Bridge GUI and Nomad Bridge GUI.

Just a few days before the attack, Nomad revealed several big name investors - Coinbase Ventures, Crypto.com Capital, Polygon, OpenSea, Wintermute, Gnosis and Aglaé - that took part in the seed funding in April, in order to help grow security-first cross-chain messaging solution.

Cross-Chain Vulnerabilities & Multi-Chain Future

Vitalik Buterin has written why he is optimistic about a multi-chain blockchain ecosystem but pessimistic about cross-chain applications in this Reddit post. In fact, cross-chain bridges inherit some security issues, which are currently not solvable. These protocols allow an investor to deposit their tokens on one chain and receive debit tokens on another chain, which we can call wrapped tokens.

To achieve this, cross-chain bridges combine multiple structures such as custodian, debt issuer and an oracle. This makes those protocols vulnerable and potential targets as there are multiple attack avenues for malicious actors to exploit.

Attacks on bridges risk causing contagions in the DeFi of one or more chains which are based on wrapped tokens and not on native tokens.

For these reasons, cross-chain bridges are easy targets especially when the TVL starts to be sizable. This is evidenced by the recent events in 2022: five cross-chain bridge attacks led to losses amounting $1’317’000’000.

What happened during the exploit?

At 9:32 PM UTC the first suspicious transactions were identified . The first one is also used as example to explain the attack:

Within a few hours, all the assets were withdrawn from various wallets, emptying the bridge's smart contract.

Initially it may appear to be a misconfiguration of the token decimals. But the problem is that the transaction did not undergo any verification, as it directly called the ‘process()’ function. There are therefore two possible cases: either the proof has been verified in a previous block, or there is an exploit somewhere. So let’s try to understand what exactly happened.

1. The attacker calls the “process(byte memory _message)” function with an arbitrary “_message”.

2. Inside the function, “acceptableRoot(messages[_messageHash])” is called, which is used to check that the root has been submitted and that the optimistic timeout period has expired. “messages[_messageHash]” is 0x00 by default.

3. The function “acceptableRoot(messages[_messageHash])” returns true, so the message is proven. This is caused by the fact that 0x00 is initialized as true in this transaction, in which “committedRoot” is initialized to zero.

4. Based on the implementation of the function, the root of an unproven message is also zero and zero as a valid confirmed root can bypass the verification.

5. After the message is proved, the attacker is able to transfer an arbitrary amount of tokens out of the bridge. A deeper brief about the hack has been published on Nomad's Medium account, for those who are more interested about the technical aspects of this event.

What makes this exploit more unique from others is the presence of different threat actors participating in this attack, including whitehat-hackers. At least 41 wallets have participated in the exploit, making it potentially “the first Web3 decentralized attack”. The ease with which the attackers drained funds from the bridge contributed to the participation of more people in the hack.

Another particular aspect is the phishing attempt by another malicious actor, who owns the ENS nomadexploiter.eth and sends on-chain messages in order to raise the funds of the exploit from whitehat-hackers.

Nomad confirmed on Twitter that they are not behind this account.

What could happen after the Nomad exploit?

This type of attack carries risks not only for the users directly involved in the Nomad bridge. Bridges mint wrapped tokens on the chains they support and Nomad supports Ethereum, Moonbeam, Avalanche, Evmos and Milkomeda.

All users and all protocols present on these chains that use wrapped tokens are those most affected by the contagion effect of an attack on a bridge. This is the case of the Horizon Bridge exploit, which compromised many lending positions on the known platform Aave V3.

After the exploit of the Harmony Horizon ERC20 Bridge, which allowed the transfer of funds from the Ethereum to the Harmony network, many assets suffered bouts of strong  volatility, which negatively impacted  the token holders. The most affected tokens  in  this exploit were DAI, USDC, USDT and AAVE.

The operation of a bridge is as simple as it is delicate: a quantity X of tokens is locked in a smart contract on Ethereum L1 and an equal quantity of X wrapped tokens on the destination network (in this case Harmony) is generated. In case of a bridge exploit, for a quantity X of assets locked in the contract on the Ethereum L1 network there is a supply of X wrapped assets on the destination network, but the supply of the assets is backed only by X-Y assets locked, with Y equal to the amount of exploited assets.

Consequently, each wrapped unit has less value than it should, and consequently lower price. Some users can take advantage of this arbitrage opportunity and that’s what happened to Aave V3 on Harmony after the Horizon exploit.

Trusting that the assets on the mainnet would not be restored, effectively causing a permanent price divergence, the users performed the following actions within a few hours:

  • they deposited one of the assets with currently less value (such as 1USDC), enabling it as collateral on Aave V3 Harmony;
  • they borrowed assets not exploited, such as ONE or LINK.

Arbitrage is based on the difference in price between the real value of the asset wrapped by the exploited bridge, compared to its value reported by the oracle, still not aware of the exploit.

The contagion effect caused by the Nomad exploit has already occurred on chains such as Moonbeam and Evmos, which as shown by Defillama have lost most of their TVL.

As you can see in the screenshots below, many lending and DEX protocols on Moonbeam and Evmos networks have lost much of their TVL due to the loss of funds on the Nomad bridge.

Conclusion

The exploit on Nomad is not the first of 2022, but it reminds us how devastating a hack can be for an ecosystem and for its users. We will likely see more exploits of this nature in the future, however teams and developers will have to be more concerned about security by carefully testing the apps, in order to mitigate and prevent these devastating events.

Developers and crypto users should re-evaluate the concept of cross-chain operability, trying to understand the real risks of the proliferation of ecosystems with considerable inherent risks. These risks are systematically ignored due to potential high returns in DeFi dApps.

In the future we will certainly live a multi-chain experience, where each blockchain and ecosystem will play its own specific role, but we must also understand the fact that each chain must work on the security of the assets held on it and on how the network is used. In recent years we have had a proliferation of alternative L1 blockchains that are very similar to each other, also technologically speaking and with the same objectives.

The real added value of a chain are not copy-pasted dApps from Ethereum, but are given by new decentralized applications, developed thanks to the underlying technology of the network.

For this reason, Pontem is working closely with Aptos in order to make the user experience much more secure thanks to Move, a programming language designed specifically for blockchains, and it competes with Solidity by focusing on security, in order to avoid exploits and hacks due to human mistakes, as in the case of Nomad bridge. Also, Move has a more efficient storage model than EVM and it is designed to be easily optimized to run on other L1s like Polkadot, Cosmos, Avalanche, etc.

Pontem is building foundational dApps for Aptos to advance global financial inclusion and bring the power of blockchains to one billion users. Follow us on Twitter and Telegram for updates.

Install our wallet and try DEX