The analysis of Nomad cross-chain bridge exploitation

According to Go+ researcher Ben, at least 90M was hacked in Nomad cross-chain bridge exploitation.

The exploitation is relatively simple: any operation can be interpreted as valid because of the wrong usage of Merkle root. This means anyone can copy&paste the hacker’s transaction to steal funds from the bridge.

In this tx, the hacker just called process() in Replica.sol. Once you passed these three requires, the specified operations will be processed by NomadBridge.handle().

All the requires passed. The first and third ones are obvious, so check the second one: acceptableRoot(messages[_messageHash]). messages[_messageHash] = 0x0, because the message was forged by the hacker(non-existent in this contract’s history).

In a mapping, it will be 0 by default. LEGACY_XXXX = 1 or 2, irrelevant here. Next is confirmAt[_root], as long as it != 0 and < current block time then the check will pass. So what’s the value of confirmAt[0x0] ?

Wrong initialisation param: confirmAt[_committedRoot] = 1. They passed _committedRoot = 0x0 while initialising the contract. So confirmAt[0x0]=1. Check passed.

That is to say, anyone can forge any message to steal funds from the bridge. You can even copy&paste data from the hacker and modify the receiver.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Go+ Security

Go+ Security

Go+ Security, Everyone’s Security Tool! Go+ is an open, permissionless, user-driven security service platform for all types of blockchain users.