Last week yet another cryptocurrency theft made headlines, this time the Nomad bridge platform from which nearly $ 200 million worth of cryptocurrencies was stolen.
Before asking ourselves how frequent these events are and how it is possible to put these attacks to good use, let’s clarify some concepts, such as that of cryptocurrency bridge.
A bridge is a connection that allows the transfer of arbitrary tokens and / or data between different blockchains, regardless of whether they use different protocols and governance models.
Since the beginning of the year, five attacks on bridge platforms have caused the loss of a whopping 1,317,000,000 dollars.
According to experts from blockchain security firm CertiK, the main causes behind these incidents are the flaws in the protocols used by the platforms and the lack of experience to defend these systems from attacks.
The founder of the Nomad platform himself, James Prestwich, argues that there is a lack of experience in creating security models for cross-chain applications. The attack on the Nomad platform ranks third in terms of losses, behind the attacks on Ronin Bridge ($ 624 million) and Wormhole Bridge ($ 326 million).
To transfer funds from one blockchain to another; instead it is necessary to use cross-chain bridge, i.e. an investor deposits their tokens on one chain and receives a debit token on the other chain. Once an individual burns their debt token on one chain, the deposit is released on the other chain.
The simplified process described above requires the involvement of multiple entities such as the custodian, the debt issuer and an oracle making these infrastructures complex and full of potential points of attack.
To understand how these attacks take place, let’s try to analyze what happened in the case of the Nomad Bridge in which a bug in the initialization process was exploited. Due to the vulnerability, the attackers were able to bypass the message verification process and took away all tokens used to validate transfers between different blockchains. In practice, an attacker, thanks to the bug, was able to deposit 1 ETH on one blockchain and receive 100 ETH on another. By repeating the procedure, it is possible to empty the platform of the entire amount of cryptocurrencies managed.
The process is not unlike in other attacks, implementation errors in bridge platforms allow an attacker to announce a willingness to transfer a certain amount of cryptocurrencies from one blockchain to another; however, precisely because of the flaws, the attackers are able to transfer any amount even though they do not have the real sums on their wallets, effectively emptying the vulnerable platforms.
The attacks suffered by the Nomad platform, as well as those against other bridges demonstrate the importance of developing robust cross-chain protocols, without which the number of multimillion-dollar robberies is bound to increase.
It is very likely that in the coming months new flaws will be discovered in the interchange platforms between blockchains and that these will be exploited in attacks that will cause significant damage to the victims. It is therefore necessary to work in two main directions; develop protocols with a security-by-design approach and conduct continuous assessments of existing platforms in order to promptly identify gaps that can be exploited by attackers and resolve them quickly.