Misaka, a web 3 value developer, said that the recent hack of the Nomad bridge is an indication of the difficulty involved in building a secure bridge that links two blockchains. Misaka made the comment following the Monday hack that saw the Nomad platform lose more than $200 million, a large chunk of all its funds.
The Nomad team said in the hours after the hack that it is investigating it and would make public their findings as soon as they can.
The Bridging Difficulty
In his reaction, Misaka wrote:
“Nomad is definitely one of the best teams in crypto. This hack simply shows how hard it is to create a secure bridge infra”
In his explanation at what happened, @samczsun, a researcher at Paradigm, said that there was a flaw in the Replica contract,
“A quick look suggests that the message submitted must belong to an acceptable root. Otherwise, the check on line 185 would fail”
He added that during a routine upgrade that the Nomad team had initiated a command line that had the unintended effect of auto proving every message.
12/ tl;dr a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all
— samczsun (@samczsun) August 2, 2022
According to him,
“This is why the hack was so chaotic – you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it”
Low Standard for Crypto
In a twist to the developing story, a Twitter user, MyInvestingAccount.iota said that the team did not do enough to prevent the exploit, considering that the bug was documented in a report.
Another user, Haze, said that the low crypto standard is responsible for hacks such as this. They highlighted that teams mostly do not run projects on testnets before public rollouts.
“The standard in crypto is just extremely low, these projects come out mostly without any time running on testnet to start with, we see this all the time, stuff is just released out nowhere in prod like a team managed by fresh out of college students would do.”