cryptocurrency startup Nomad thieves allowed to steal all that fake money. This is the latest dangerous DeFi API vulnerability in a string of such failures.
Nomad claimed its “optimistic bridging” API It will “keep user funds safe”.that is Optimistic I promise—it certainly hasn’t aged well.
Ridiculous exploits or sarcastic rug pulls? In today’s SB blogwatch, we’ll take a closer look.
Your humble blog watchers have curated these blog bits for your entertainment. Not to mention: a technical interview survival guide.
I got a bridge to sell you
what is craic? Elizabeth Howcroft reports that “cryptocurrency company Nomad has suffered theft of $190 million”.
“Nomad describes itself as a "security first" business“
Crypto Analysis Company PeckShield [said] $190 million worth of user cryptocurrencies were stolen, including Ether and the USDC stablecoin. Other blockchain researchers put the figure at more than $150 million for him. [It’s] The latest heist to hit the digital assets sector this year.
[It] It targeted Nomad’s “bridge”, a tool that allows users to transfer tokens between blockchains. …Blockchain bridges are increasingly targeted for theft and have plagued the crypto sector for a long time. According to Elliptic, so far in 2022 he’s had more than $1 billion stolen from his bridge.
San Francisco-based Nomad … raised $22 million from investors last week … is creating software that connects different blockchains. This is the digital ledger that underpins most cryptocurrencies. … Nomad prides itself on being a ‘security first’ business that keeps users’ funds safe.
It’s hilarious. Sam Kessler and Brandy Betz lament the loss — “questioning the security of cross-chain token bridges once again”:
“Bridge attacks are now more frequent“
attacker [drained] Protocols for almost all funds. … Monday’s attacks are the latest in a series of widely reported incidents.
The Nomad team has acknowledged the exploit. We have notified law enforcement, identified the accounts involved, and are working around the clock to track and recover the funds. “
Bridge attacks have become more frequent in recent months. [They] It can be devastating for smaller chains that rely on them for most of their total liquidity.
what went wrong? @Zellic_io tl;dr there is:
A bug fix introduced a regression that, combined with a strangely initialized storage slot, resulted in a significant vulnerability. The attackers mimicked each other and spent an hour messily draining the bridge.
Audit drift is a major Web3 security problem. … audits often Point-in-time snapshot of code.New code is often unauditedAs in this case, new code should be rigorously tested or audited as it may introduce new bugs.
For mission-critical, high-assurance code, a simple unit test suite is: insufficientYou should run integration tests on the mainnet fork. A negative test is also required. A simple negative test to handle invalid messages might catch this mistake.
Do you need regulation? Test0129 confirms that:
“this is pathetic“
There is a reason why technologies that require high stability are buried in layers of approval, review, and regulation. Software is very likely to introduce failure modes, so once it works it doesn’t change much. .
This level of negligence carries criminal liability just like if someone wrote code for a new Boeing, beyond incompetence they wrote bad code. I’m in
Crypto companies must be insured and pass the same rigorous security audits as any other high-value system. This is pathetic, and it’s not the first, second, or third time it’s happened.
I also cannot agree on the amount stolen. $40 million here, $40 million there.
You know crypto is a shaky pile of nothing [one] One company says everything is worth $190 million, while another values everything at only $150 million. What we’re talking about is… a 21% difference.
Want to dive deeper? your diving buddies @samczsun:
The Moonbeam transaction bridged 0.01 WBTC, while the Ethereum transaction bridged at 100 WBTC. [And it] It didn’t really prove anything.it was simply called process directly. Being able to process a message without first proving it is very important. not good.
A quick look reveals that messages sent must belong to an acceptable route [and] The root for uncertified messages is 0x00. … it turned out that the Nomad team initialized the trusted root to his 0x00 during a routine upgrade. [This] It had the small side effect of auto-certifying all messages.
This is why hacking has been so confusing. … all you had to do was find the transaction that worked, find someone else’s address, replace it with yours, and rebroadcast it.
ELI5? hypertele-Xii explains like you are 5 years old.
Their “smart” contract was incorrectly programmed to accept proofless messages as full root access.
If (approval == 0)
Then accept_transaction (withdraw $150 million)
And this is not the last. This anonymous coward said:
What’s funny and sad is the growing number of idiots trying to put money into cryptocurrencies and get scammed by Ponzi cryptocurrency scammers.
in the meantime, rapsey freestyle:
Well done and congratulations to the hackers. One step closer to ridding the world of web3 nonsense.
get a better job
TW: hostage situation, firearms, arbies, nickelback
Previously And finally
you are reading SB Blog Watch By Rich Jennings. Richi has handpicked the best blog posts, the best forums, and the weirdest websites.Hate mail may be sent to @RiCHi Also [email protected]Please consult your doctor before reading. Your mileage may vary. E&OE.30.
Image Source: Mahdi Bafande (via Unsplash, leveled and cropped)