FAIL: Nomad DeFi Bridge ‘Loses’ $190M of Worthless Tokens

Cryptocurrency startup Nomad allowed thieves to steal all its fake money. It’s the latest dangerous DeFi API vulnerability in a long line of such failures.

Nomad claimed its “optimistic bridging” API would “would keep users’ funds safe.” That sounds like an optimistic promise—it certainly hasn’t aged well.

DevOps Connect:DevSecOps @ RSAC 2022

Stupid exploit or cynical rug pull? In today’s SB Blogwatch, we take a closer look.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Technical interview survival guide.

I’ve Got a Bridge to Sell You

What’s the craic? Elizabeth Howcroft reports—“Crypto firm Nomad hit by $190 million theft”:

Nomad described itself as a ‘security-first’ business
Crypto analytics firm PeckShield [said] $190 million worth of users’ cryptocurrencies were stolen, including ether and the stablecoin USDC. Other blockchain researchers put the figure at over $150 million. [It’s] the latest such heist to hit the digital asset sector this year.

[It] targeted Nomad’s “bridge” – a tool which allows users to transfer tokens between blockchains. … Blockchain bridges have increasingly become the target of thefts, which have long plagued the crypto sector. Over $1 billion has been stolen from bridges so far in 2022, according to … Elliptic.

San Francisco-based Nomad … which last week raised $22 million from investors … makes software that connects different blockchains – the digital ledgers that underpin most cryptocurrencies. … Nomad described itself as a “security-first” business which would keep users’ funds safe.

That’s hilarious. Sam Kessler and Brandy Betz mourn the loss—“Calls the security of cross-chain token bridges into question once again”:

Bridge attacks have become more frequent
Attackers [drained] the protocol of virtually all of its funds. … Monday’s attack is the latest in a string of highly-publicized incidents.

The Nomad team acknowledged the exploit: … ”An investigation is ongoing and leading firms for blockchain intelligence and forensics have been retained. We have notified law enforcement and are working around the clock … to identify the accounts involved and to trace and recover the funds.”

Bridge attacks have become more frequent in recent months. [They] can be devastating for smaller chains that rely on them for a large amount of their total liquidity.

What went wrong? @Zellic_io has the tl;dr:

Bugfix introduced a regression, that combined with a curiously initialized storage slot, led to a severe vuln. Attackers copycatted each other, messily draining the bridge over an hour.

Audit drift is a major problem in Web3 security. … Audits are often only a point-in-time snapshot of the code. New code is often not audited. New code must be rigorously tested or audited, as it can introduce new bugs, like in this case.

For mission-critical and high-assurance code, simple unit test suites are insufficient. Integration tests, on a mainnet fork must be done. Negative tests are necessary as well: A simple negative test for processing invalid messages would likely have caught this mistake!

Do we need regulation? Test0129 is sure we do:

This is pathetic
There is a reason technology that requires high levels of stability is mired in layers of approval, review, regulation, etc. It doesn’t change much if at all once it works, because the probability of introducing a failure mode is so high with software.

There’s a point where this level of of negligence should rise to criminal liability, no different than if someone wrote code for a new Boeing that was so bad it moves beyond incompetence. We are at this point.

Crypto companies … should be required to carry insurance and pass stringent security audits no different than other high value systems. This is pathetic, and it’s not the first time, second time, or third time it happens.

We can’t even agree how much was stolen. $40 million here, $40 million there, pretty soon you’re talking serious money—right, quall?

You know crypto is an unstable pile of nothing when [one] firm says everything was worth $190m, but another only evaluates it all at $150m. We’re talking a … 21% difference.

Wanna dive deeper? Your dive buddy is @samczsun:

While the Moonbeam transaction did bridge out 0.01 WBTC, somehow the Ethereum transaction bridged in 100 WBTC. [And it] didn’t actually prove anything. It simply called process directly. Suffice to say, being able to process a message without proving it first is extremely Not Good.

A quick look suggests that the message submitted must belong to an acceptable root [and] the root of a message which had not been proven would be 0x00. … It turns out that during a routine upgrade, the Nomad team initialized the trusted root to be 0x00. [This] had a tiny side effect of auto-proving every message.

This is why the hack was so chaotic. … All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.

ELI5? hypertele-Xii explains like you’re five:

Their “smart” contract was accidentally programmed to accept a proof-less message as full root access:
if (authorization == 0)
then accept_transaction(withdraw $150mil)

And this won’t be the last time. So says this Anonymous Coward:

The funny and sad thing is there’s more fools willing to put money into crypto and get scammed by Ponzi-crypto-scammers.

Meanwhile, rapsey freestyles:

Well done and congrats to the hackers. One step closer to ridding the world of web3 nonsense.

And Finally:

Get a better job

TW: Hostage situation, firearms, Arby’s, Nickelback

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Mahdi Bafande (via Unsplash; leveled and cropped)

Be the first to comment

Leave a Reply

Your email address will not be published.