🎓
Scallop Learn
  • Guides
    • Welcome to Scallop Learn
    • Crypto
      • Basics
        • Don't Feel the FOMO - Crypto Slangs Explained
        • Blockchain: What is it?
        • What is an Exchange?
        • What are Stablecoins?
        • What is the Metaverse?
        • What are NFTs?
        • History of Bitcoin
        • What is Binance Smart Chain?
        • What is an IDO?
        • What is Staking?
        • Token Burning
        • Debunking Crypto Myths
        • The Crypto Dictionary
        • What is DYOR?
        • What is a Neo-bank?
        • Proof of Work vs Proof of Stake
        • Exploring Crypto Communities: How to Join and Connect with Like-Minded Enthusiasts
        • What is a DAO?
      • Intermediate
        • Scallop Chain Faucet: All you need to know!
        • Layer 2
        • Liquidity Pools
        • ETH 2.0 - The Merge
        • Centralised Exchanges VS Decentralised Exchanges
        • Web 3.0
        • Regulation
        • REIT's on the blockchain
        • The Future of Business Payments: How Crypto Payment Partners are Leading the Way
        • What Is A Crypto Card? How Does It Work?
        • Blockchain and AI
        • Why are regulations essential in Crypto Market? How does Scallop lead the way?
        • Banking on Blockchain
        • E-money Tokens
        • The Power Surge of Cross-Chain Interoperability in Blockchain's Future
        • Crypto Trading 101: Must know candlestick patterns for a successful trade
        • Exploring blockchain innovations and their real-world breakthroughs
        • Do not miss these common indicators of the crypto bull market
        • Decoding the Dynamics of Permissioned Blockchain Consensus Mechanisms
        • Summary
      • Advanced
        • Can Quantum Computers be a potential threat to Crypto?
        • Unlocking the cryptocurrency potential: How Banks can thrive in the digital age?
        • How do privacy-enhancing technologies ensure anonymity on the blockchain?
        • What Does Fintech Mean? Understanding the Intersection of Finance and Technology
          • Decoding Data Tokenisation: Its Vital Role and Relevance
        • Unravelling the Concept of the Time Value of Money: Its Implications and Applications
        • Unlocking the Potential of Real-World Assets
        • What is Byzantine fault tolerance?
        • Global Crypto Adoption and Its Potential Socio-Economic Impact
        • How ZK-Rollups are Supercharging Blockchain Transactions?
    • Security
      • Skimming of Credit and Debit Cards: What You Need to Know
      • How Blockchain Security Can Keep Your Crypto Safe?
      • Keeping Your Account Safe
      • Money muling scams: What are they and how can you avoid them?
      • Beware of these common frauds while using payment cards
    • Tutorials
      • Scallop App
      • Scallop Ramp
    • Markets
      • How are cryptocurrencies taxed across the globe?
      • What Can You Do On An Exchange?
      • Avoid FOMO To Plan A Recovery: 5 Things To Do In A Crypto Bear Market
      • Inflation
      • Meme Coins vs Altcoins
      • The Basics Of Investing
      • The Ripple Effect
      • Central Bank Digital Currencies: A Global Revolution and Impact
    • Know Your Crypto
      • Bitcoin
      • Ethereum
      • Binance Coin
      • Cardano
      • Optimism
      • Ripple
      • Solana
      • USD Coin
      • Polygon
      • Tron
      • Avalanche
      • Tether
    • Defi
      • Defi Introduction
      • Borrowing and Lending: Aave
      • Borrowing and Lending: Compound
      • Tokenisation
      • Defi projects: Terra
      • Wrapped Bitcoin
      • Summary
      • A Practical Guide: The Defi Walkthrough
      • Summary
  • Scallop
    • What is Scallop?
    • Products
      • Scallop Banking
        • Tips And Tricks For Getting The Most Out Of The Scallop App
      • Scallop Exchange
        • Getting started on Scallop Exchange
        • Trading Futures
        • Trading with Margin
        • Buying Ethereum on Scallop Exchange
      • Scallop Chain
        • Tech
          • Scallop Bridge Contracts
          • Configurations
          • Relayers
          • Launch Your Dapp on Scallop
          • Developing and Deploying Contracts​
          • Scallop Explorer​
          • Scallop Faucet​
          • Contract Verification​(Under Development)
          • Contract Security Checks​
          • Scallop Whitelist
        • Scallop Chain: Built on Cosmos and Secured by Biometric Bridge
        • E-Money Tokens and Scallop
      • Scallop Business
    • Getting Started
      • Getting Started: Fiat Onboarding And Exchanges
      • Getting Started: The Defi Walkthrough
      • Getting started: Scallop Exchange
      • Staking
        • Scallop Staking Guide
          • Useful Resources
          • 1. Setting Up Metamask Wallet
          • 2. Importing existing wallet
          • 3. Installing Binance Smart Chain
          • 4. Setting up a Kucoin Account
          • 5. Buying SCLP with a market order on Kucoin
          • 6. Transferring from Kucoin to Metamask
          • 7. Connecting Metamask to the SCLP Staking platform
        • LP Staking Guide
  • Announcements
  • News
    • News: Terra Collapse
    • Terra: Beyond Hope
    • News: Chapter 11 for Celsius
    • News: Nomad Bridge Hack
  • Extras
    • Task Lists
    • Tokenising Real Estate
    • How to Donate Crypto to Ukraine
Powered by GitBook
On this page
  • Nomad Bridge hack
  • What is a 'Bridge'?
  • August 2nd - Initial exploit detected
  • So what happened?
  • White-hat hackers
  • How could this have been avoided
  • Lessons
  1. News

News: Nomad Bridge Hack

What went wrong, and how could it have been prevented

PreviousNews: Chapter 11 for CelsiusNextTask Lists

Last updated 1 year ago

Nomad Bridge hack

On the 2nd August 2022, the Nomad bridge, a protocol designed to move tokens across blockchains, thus allowing different networks to interact, was hacked and drained of $191 million worth of Ethereum denominated funds. How did this happen? What was unique about it and how can it be prevented in future?

What is a 'Bridge'?

A blockchain bridge, otherwise known as a cross-chain bridge, connects two blockchains and allows users to send cryptocurrency from one chain to the other.

Usually, a cross-chain bridge works by “wrapping” tokens in a smart contract and then issuing native assets to users on another chain. This means they have to hold a lot of funds on either side of the bridge, which makes them lucrative targets for hackers

August 2nd - Initial exploit detected

According to twitter user @samczun, users started noticing funds leaving the bridge at an alarming rate and posted it on a ETHSecurity telegram channel...

This was a unique hack, as the initial exploit was then copy and pasted by regular users until the funds were entirely drained from the bridge. You could see the drama play out on-chain. $190,740,000 drained in a couple of hours.

We can see the funds leaving the bridge here:

So what happened?

A hacker used a vulnerability flagged up in the Nomad Audit, to confirm transactions that were not valid which allowed him to transfer funds to himself. The audit is available to all for review on the link below, with the relevant vulnerability (QSP-19) posted below..

Technically speaking, it was the process() function, found in the current implementation contract at 0xB92336759618F55bd0F8313bd843604592E27bd8, which checks that messages contain an acceptable Merkle root, that was expoited. This function is intended to prevent users from passing arbitrary data, but the team accidentally marked the zero root as an acceptable root, which tragically meant that every message was auto-proved when they should have been nullified.

Put simply: A misconfiguration of the project’s main smart contract accidentally allowed anyone with a basic understanding of the code to authorise withdrawals to themselves.

Now this is the crazy part .. all that copycats had to do was copy the initial exploit and change the transaction data and paste their own personal addresses and they could drain the funds from the bridge themselves. This led to an absolute free-for-all as millions of dollars was drained in a frenzy of copycat hacks.

White-hat hackers

Many of those that jumped on the band wagon were good samaritans stepping in to preserve funds until the exploit was fixed. So far $32.6 million worth of funds have been returned from 41 separate accounts. It's a nice twist to a story that would have left the Nomad team totally devastated.

How could this have been avoided

Safety Over Formalism

When we decided not to include light clients in Nomad’s design, we also gave up formal security. While this decision had tremendous benefits for simplicity and operating cost, we had to accept that Nomad would not be provably secure. Nomad is designed to be secure in practice.

They sacrificed on security for cost and simplicity, and it cost them. One errant line of code and the bridge was drained in its entirety.

Lessons

At scallop we are designing our own bridge, and make no sacrifices on security. Having our own dedicated blockchain provides watertight security, and not relying on third party bridges reduces the risk of being targeted by hackers looking for a lucrative score.

The unique part of this story is that good samaritans stepped in and have returned a chunk of the stolen funds. Crypto is unique in that sense, and this is testament to the strong communities that make up the myriad ecosystems in the space.

According to a by Nomad themselves

medium post
docs/Nomad-Audit.pdf at 1ff0c55dba2a842c811468c57793ff9a6542ef0f · nomad-xyz/docsGitHub
The recovery process has so far returned $32 million in funds
Logo
the exploit was flagged in the Audit
Data represented by shows the dramatic draining of 190 million USD worth of tokens
https://defillama.com/protocol/nomad