secondary title
Too long to read version:
The Nomad hack was the result of a vulnerability caused by a complex smart contract used to create a link between two different blockchain architectures.
Qredo takes a completely different approach to blockchain interoperability - instead of directly bridging blockchains with smart contracts, they link via Qredochain as an interoperable layer 2 network. Assets are always protected by a decentralized MPC.
Assets in transit have also proven to be a lucrative target on the financial frontier of cryptocurrencies.
according toChainalysisaccording to
In this post, we unpack the latest cross-chain hack — the Nomad hack of August 2022 — and explain why Qredo provides a better model for blockchain interoperability.
first level title
type of bridge
To move assets between blockchains, you can choose between two types of bridges: trusted and trustless.
Trustless bridges rely on smart contracts and algorithms. You maintain control of your assets but must rely on the security of smart contracts and the underlying blockchain.
first level title
Bridges of Distrust: A Popular Target for Hackers
Trustless bridges typically work by having smart contracts on each chain. Tokens are locked in a smart contract on one chain and then reissued on another chain, usually in a "wrapped" form.
For example, to transfer 100 tokens from Solana to Ethereum, the token holder would lock the tokens into a bridge smart contract on Solana. The bridge contract will then mint 100 equivalent or wrapped tokens on Ethereum.
These bridges continue to be targeted by attackers for two main reasons:
value
value
Cross-chain bridges usually hold a large number of assets in their smart contracts.
Technical differences in architectures, consensus algorithms, and programming languages can make it very difficult to connect separate blockchains. It's easy to make mistakes - leading to vulnerabilities that attackers can exploit.
first level title
How the Nomad hack happened
The Nomad bridge supports the transfer of tokens between multiple blockchains including Avalanche and Ethereum. In the latest cross-chain attack, it drained more than $150 million worth of crypto assets.
So how did this happen?
The Nomad bridge has two components: smart contracts on each chain, and off-chain proxies that secure and relay state across chains.
To understand exactly how this happens, we need to be familiar with a specific data structure called a Merkle tree (AKA hash tree).
first level title
What is a hash tree?
Hash trees are data structures used in cryptography and data science to generate unique identifiers for datasets. In a blockchain, a hash tree is used to encrypt, summarize and verify all data in a block. In this way, they act like a digital fingerprint that quickly verifies that all data in a block is complete, uncorrupted, and unchanged as it passes between network peers. A key element of a hash tree is the Merkle Root. This is a hash of all hashed transactions (called "leaves") that signify the integrity of all data contained in the block.
So what happened to the Nomad Bridge?
Typically, the initialized transaction hash is associated with the Merkle root hash of the block containing the transaction. This enables validators to check whether transactions have been proven and update the state of the blockchain.
The Merkle Root of an uncertified message will be 0x00 because the message will be uninitialized.
It turns out that during a routine upgrade, the Nomad team accidentally initialized the root of trust to 0x00. This means that the Merkle tree does not prove that the transaction is valid.
Once the original attackers proved it was possible, others soon joined in — creating what is known as the first decentralized heist.
first level title
Qredo's approach to cross-chain interoperability
Like nearly every other bridge hack of late, the Nomad hack was the result of a vulnerability in a complex smart contract used to create a link between two different blockchain architectures.
Qredo takes a different approach - instead of directly bridging blockchains with smart contracts, they link via Qredochain as an interoperable layer 2 network.In this way, the assets held on Qredo are always kept safe on the underlying chain and getDecentralized MPC
Layer 2 Qredochain then acts as an asset registry, enabling assets to be traded instantly between wallets on the Qredo network, andMetaMask InstitutionalandWalletConnectand
integrations deployed to different blockchains.
At all times, the assets held in your Qredo wallet are under your control and can only be managed through your governance policy.
Original link:https://www.qredo.com/blog/nomad-hack
Qredo Chinese page:qredo.com/zh-cn
