Risk Warning: Beware of illegal fundraising in the name of 'virtual currency' and 'blockchain'. — Five departments including the Banking and Insurance Regulatory Commission
Information
Discover
Search
Login
简中
繁中
English
日本語
한국어
ภาษาไทย
Tiếng Việt
BTC
ETH
HTX
SOL
BNB
View Market
The Curse of Cross-Chain Bridges: Analysis of the Nomad Hacking Event
Qredo 中国
特邀专栏作者
2022-08-10 07:00
This article is about 1943 words, reading the full article takes about 3 minutes
Lessons from the Nomad hack for the industry, and Qredo’s technical advantages against such attacks.

secondary title

  • Too long to read version:

  • The Nomad hack was the result of a vulnerability caused by a complex smart contract used to create a link between two different blockchain architectures.

Qredo takes a completely different approach to blockchain interoperability - instead of directly bridging blockchains with smart contracts, they link via Qredochain as an interoperable layer 2 network. Assets are always protected by a decentralized MPC.

Assets in transit have also proven to be a lucrative target on the financial frontier of cryptocurrencies.

according toChainalysisaccording to

In this post, we unpack the latest cross-chain hack — the Nomad hack of August 2022 — and explain why Qredo provides a better model for blockchain interoperability.

first level title

type of bridge

  • To move assets between blockchains, you can choose between two types of bridges: trusted and trustless.

  • Trustless bridges rely on smart contracts and algorithms. You maintain control of your assets but must rely on the security of smart contracts and the underlying blockchain.

first level title

Bridges of Distrust: A Popular Target for Hackers

Trustless bridges typically work by having smart contracts on each chain. Tokens are locked in a smart contract on one chain and then reissued on another chain, usually in a "wrapped" form.

For example, to transfer 100 tokens from Solana to Ethereum, the token holder would lock the tokens into a bridge smart contract on Solana. The bridge contract will then mint 100 equivalent or wrapped tokens on Ethereum.

These bridges continue to be targeted by attackers for two main reasons:

  1. value

value

Cross-chain bridges usually hold a large number of assets in their smart contracts.

Technical differences in architectures, consensus algorithms, and programming languages ​​can make it very difficult to connect separate blockchains. It's easy to make mistakes - leading to vulnerabilities that attackers can exploit.

first level title

How the Nomad hack happened

The Nomad bridge supports the transfer of tokens between multiple blockchains including Avalanche and Ethereum. In the latest cross-chain attack, it drained more than $150 million worth of crypto assets.

So how did this happen?

The Nomad bridge has two components: smart contracts on each chain, and off-chain proxies that secure and relay state across chains.

To understand exactly how this happens, we need to be familiar with a specific data structure called a Merkle tree (AKA hash tree).

first level title

What is a hash tree?

Hash trees are data structures used in cryptography and data science to generate unique identifiers for datasets. In a blockchain, a hash tree is used to encrypt, summarize and verify all data in a block. In this way, they act like a digital fingerprint that quickly verifies that all data in a block is complete, uncorrupted, and unchanged as it passes between network peers. A key element of a hash tree is the Merkle Root. This is a hash of all hashed transactions (called "leaves") that signify the integrity of all data contained in the block.

So what happened to the Nomad Bridge?

Typically, the initialized transaction hash is associated with the Merkle root hash of the block containing the transaction. This enables validators to check whether transactions have been proven and update the state of the blockchain.

The Merkle Root of an uncertified message will be 0x00 because the message will be uninitialized.

It turns out that during a routine upgrade, the Nomad team accidentally initialized the root of trust to 0x00. This means that the Merkle tree does not prove that the transaction is valid.

Once the original attackers proved it was possible, others soon joined in — creating what is known as the first decentralized heist.

first level title

Qredo's approach to cross-chain interoperability

Like nearly every other bridge hack of late, the Nomad hack was the result of a vulnerability in a complex smart contract used to create a link between two different blockchain architectures.

Qredo takes a different approach - instead of directly bridging blockchains with smart contracts, they link via Qredochain as an interoperable layer 2 network.In this way, the assets held on Qredo are always kept safe on the underlying chain and getDecentralized MPC

Layer 2 Qredochain then acts as an asset registry, enabling assets to be traded instantly between wallets on the Qredo network, andMetaMask InstitutionalandWalletConnectand

integrations deployed to different blockchains.

At all times, the assets held in your Qredo wallet are under your control and can only be managed through your governance policy.

Original link:

Original link:https://www.qredo.com/blog/nomad-hack

Qredo Chinese page:qredo.com/zh-cn

Qredo
Cross-chain
Welcome to Join Odaily Official Community