Written by: Patrick Estano
It’s safe to say that cryptocurrency is here to stay in our modern-day society. Whether it be a casual enthusiast buying a few dollars’ worth of Shiba Inu or a hardcore investor purchasing a full Bitcoin, the concept of decentralized virtual currencies has captured the attention of millions.
Nomad, a popular crypto exchange platform, has facilitated nearly $700M in total transaction volume for over 14,000 users. However, with all new and exciting technologies comes yet another opportunity for exploitation. In the case of cryptocurrency being decentralized, it relies on smart contracts (programs within a blockchain that are used to complete a transaction when certain conditions are met) to accurately manage, track, and compete transactions. In the case of the recent Nomad hack, these contracts were exploited by hackers to exploit nearly $200 million worth of cryptocurrency. Incidents like this highlight the need for heightened security, no doubt. But in this specific case, having an appropriate Secure Software Development Life Cycle (SSDLC) could have prevented this horrific attack.
The attack on the Nomad bridge took place in August of 2022. The issue stemmed from a bugged smart contract update being mistakenly applied to the live environment. Due to this oversight, it became easy for hackers to spoof transactions, or in other words, withdraw money from the Nomad bridge that did not belong to them. In an article published by Mint, Paradigm researcher “samczsun” stated that all a malicious individual had to do to exploit the bug was find a transaction that worked, find and replace the personally identifying information with yours, and then re-broadcast it. A routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all.
Thankfully, Nomad reported that many “white-hat hackers,” a term used to describe those who hack with good intent, were able to secure millions of dollars in funds and hold them in order to prevent malicious hackers from taking them. However, the damage was unfortunately already done, as an estimated $200 million worth of crypto was stolen from the platform.
In hindsight, this was easily preventable through controlled procedures under a robust SSDLC program. Organizations involved in the development of software and programs understand the need for a process model that governs the progress of work, that of a Software Development Life Cycle (SDLC). However, given the elevated threats across the crypto sector and industry, it is surprising to see that many companies have not incorporated a mature and deep security testing element into their SDLC, resulting in a SSDLC.
Developing security around SDLC processes and components ensures that each of the development stages, from design to product, is secure. Ensuring the security in the SDLC requires new considerations across multiple elements. There needs to be formal security requirement definitions that are reviewed and approved. In the process of designing, developing, and testing, elements of the defined security requirements must be met. This includes validations such as secure design reviews and secure code reviews. At implementation, further testing should be periodically maintained. This is usually in the form of penetration testing, security assessments, and smart contract audits.
The smart contract auditing firm Quantstamp was responsible for auditing Nomad at the time of the attack. They describe that in their audit, which took place two months before the attack in June of 2022, they identified 40 issues, including QSP-19, 21, and 23, which are issues around input validation and edge cases (a link to their full report and the specific issues can be found here). It is crucial that companies act upon their auditors’ recommendations and observations, especially in cases like this. This lifecycle, along with proper smart contract auditing, constructs a strong foundation for security risk mitigations. In addition, taking a holistic risk management approach that focuses specifically on these types of breaches could help to further mitigate the potential risk that bridges such as Nomad face.
Smart contracts and blockchains will continue to digitalize the world, but the security element cannot be overlooked. This specific incident is just one of many examples of crypto bridges being exploited. Other bridges such as Axie Infinity Ronin, as well as Harmony, have been exploited. These hacks, along with the Nomad hack, are a glimpse of the bad, but there is always a light at the end of the tunnel. These are lessons to be learned, and they will only strengthen our understanding in dealing with these incidents. Security practices, such as creating and maintaining a strong Secure Software Development Life Cycle (SSDLC) program, and participating in regular third-party smart contract audits, must be relied on as a source to promote trust and transparency within these organizations and ensure best security practices are always considered.