Analysis: What makes the Nomad Bridge hack unique

August 1, 2022, $190 million was siphoned from various assets of the Nomad Bridge.What's special about this breach is that it's the first hacking attack involving the active participation of the general public.

The Nomad Bridge hack was originally planned by a single person, but soon regular users were able to spot the bug that the original hacker exploited and exploit it by simply using Ctrl+C, Ctrl+V.

This article will delve into how this attack was made possible in the first place.

What is Nomad?

Nomad is a cross-chain bridge that allows users to transfer crypto assets between chains, but the transfer never actually happens.Nomad runs multiple smart contracts that burn assets on the original chain and mint assets on the new chain.This is why when we utilize cross-chain transfer of assets, we will have wETH instead of ETH.Wrapped Ether is a mirrored version of Ether that is compatible with other chains.

Analysis of the Nomad Hacker

The hack happened the day before yesterday, and the attackers discovered and started exploiting a weakness.People quickly figured out what was being exploited and started copy-pasting exploits to suck assets from the Nomad bridge themselves.This effectively emptied Nomad's wallet - from $190 million to $700 in a matter of hours.

This unprecedented opportunistic attack is possible because it is so easy to replicate.To replicate the hacker, all we have to do is copy the hacker's transaction call data and replace the original address with our own.

What made the hack happen in the first place?

The vulnerability is caused by a bug in the nomad smart contract file Replica.sol.Furthermore, according to the audit report in the Nomad GitHub repository, this particular weakness has actually been flagged by the audit team and acknowledged by the team.

More specifically, the problem stems from the following process() function, on line 192 of the Replica.sol file:

require(acceptableRoot(messages[_messageHash]), "!proven");

This line by itself is not inherently wrong, as it generally ensures that the request comes from a root that the smart contract considers acceptable.

require() is a built-in Solidity function that ensures that only authorized addresses can perform operations on a specific smart contract.Unfortunately, 41 days ago, the team made a mistake during the start of the contract merkle root, adding 0x00 as an acceptable root.This means that everyone's wallet address is an acceptable root for this contract and can successfully call various functions of the contract.

A poor merkle root initialization is the root cause of this problem.Once the vulnerability was discovered, it was very easy to replicate and people started siphoning money from Nomad.Some promised to return the money.

Source: https://cryptomaton.medium.com/the-great-nomad-bridge-hack-inside-the-first-decentralised-crowd-looting-event-98af2c5444f8

About

ChinaDeFi - ChinaDeFi.com is a research-driven DeFi innovation organization, and we are also a blockchain development team.Every day, from nearly 900 pieces of content from more than 500 high-quality information sources around the world, we look for more in-depth thinking and more systematic content, and synchronize to the Chinese market at the fastest speed to provide decision-making auxiliary materials.

Layer 2 Daoist - Blockchain technology enthusiasts and research analysts who are interested in Layer 2 are welcome to contact Gavin (WeChat: chinadefi) to discuss the landing opportunities brought by Layer 2.Stay tuned to our WeChat official account "Decentralized Finance Community".