Nomad Bridge’s $200 Million Exploit Postmortem

Sm4rty
4 min readAug 3, 2022

--

Hi, In this blog, I will be explaining about a recent exploit at Nomad Bridge that took place on 1st August 2022. The total funds lost during this exploit was approximately $200 Million. It is one of the largest hacks that Web3 has ever seen. Let's get started.

What is Nomad Bridge?

Before Understanding the Vulnerability let's understand What bridges are and how they work. A cross-chain bridge connects independent blockchains and enables the transfer of assets and information between them, allowing users to access other protocols easily. Bridges typically work by locking up tokens in a smart contract on one chain and then reissuing those tokens in “wrapped” form on another chain.

Nomad is cross-chain bridge that allows users to send and receive tokens between different blockchains like Ethereum, Moonbeam, etc.
Nomad enables applications to send data between blockchains (including rollups). Applications interact with contracts to enqueue messages to be sent, after which off-chain verifiers verify and ferry these messages between chains.

Vulnerability Analysis:

Here is the link of transactions in etherscan for reference.

While looking at the transactions that have interacted with the contract, we can see that these exploits have one thing in common, they call the `process()` function in the Nomad ERC20 Bridge Contract.

The bug lied on the process function of Replica.sol Contract. The process function checks that the domain of the message is correct(ie a transaction signed for evmos is meant for evmos) and checks that the message has been proven by the prover.
The code: `require(acceptableRoot(messages[_messageHash], “!proven”);`
It verifies if the transaction belonged to an acceptable root. If it doesn’t then it reverts with error.

The root of the message which has not been proven would be `0x00` as messages[_messageHash] would be uninitialized.

And `0x00`was now considered acceptable root in the contract.

This was because, During a routine upgrade, Nomad team initialized the trusted root to `0x00`.

Marking the zero hash as a valid root had the effect of allowing messages to be spoofed on Nomad.

Copy-Pasting transactions:

It was found that copying the call call data from old successful tx can be copy-pasted into fresh transactions to retrieve assets from the bridge.

This led to hundreds of people copying the transaction call data, and just by changing the address, they could replay the attack.

samczsun in his twitter thread added :
“This is why the hack was so chaotic — you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it”

For Educational purposes, the POC for this Attack has been created by massun-onibakuchi and can be found below github link.

https://github.com/massun-onibakuchi/nomad-bridge-exploit-poc

After the Exploit:

The Nomad team acknowledged the exploit and updated the situation of the attack through Twitter Handle:

Nomad Further said that their ‘White Hat Friends’ are draining funds to help them safeguarding ETH/ERC-20 token from further exploitations, and will be returning it back to Nomad’s address.

So far, at least one individual has come out and offered to act as a white hat hacker who intends to return the funds they took from the bridge. The individual going by Notifi Bot on Twitter reached out to Nomad in a tweet stating, “This is a whitehack. I plan to return the funds.”

Thanks for Reading. Any Suggestions are always welcomed!!

Connect with me:

Twitter
LinkedIn
Github
Instagram
Hashnode

--

--

Sm4rty
Sm4rty

Written by Sm4rty

Smart contract Auditor and Web3 Security Researcher. Interested in Web3 and SmartContract Security.