Nomad Bridge Hack: Root Cause Analysis
Contents
High-level Issue
An implementation bug caused the
Replica contract to fail to authenticate messages properly. This issue allowed any message to be forged as long as it had not already been processed. As a result, contracts relying on the
Replica for authentication of inbound messages suffered security failures. This authentication failure resulted in fraudulent messages being passed to the Nomad
BridgeRouter contract.
Details
Acceptable Root
Nomad commits to cross-chain messages in a Merkle tree (called the “message tree”). This tree’s root is propagated to remote chains via the optimistic mechanism.
The
Replica contract tracks roots from other chains using a
mapping(bytes32 => uint256). This maps roots to the timestamp at which they become valid. Messages may not be processed before the root’s optimistic timer has elapsed. When reading a mapping, if the entry has not been set, the default value (also called the 0 value) is read instead. The default value of a
uint256 is
0 . Any root that has not …
An implementation bug caused the
Replica contract to fail to authenticate messages properly. This issue allowed any message to be forged as long as it had not already been processed. As a result, contracts relying on the
Replica for authentication of inbound messages suffered security failures. This authentication failure resulted in fraudulent messages being passed to the Nomad
BridgeRouter contract.
Details
Acceptable Root
Nomad commits to cross-chain messages in a Merkle tree (called the “message tree”). This tree’s root is propagated to remote chains via the optimistic mechanism.
The
Replica contract tracks roots from other chains using a
mapping(bytes32 => uint256). This maps roots to the timestamp at which they become valid. Messages may not be processed before the root’s optimistic timer has elapsed. When reading a mapping, if the entry has not been set, the default value (also called the 0 value) is read instead. The default value of a
uint256 is
0 . Any root that has not …