9/ If you have used Slope, you should generate a new wallet and migrate your assets there.
The private keys previously used in Slope should be considered compromised.
10/ The investigation into this incident is still ongoing.
We have been working with other security researchers & firms to identify the root cause and will continue to work closely with them to release more details. Please follow @Zellic_io for more updates.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/ Nomad was just hacked for $190M, making it the 5th largest DeFi hack of all time. How did this happen? We break down not just the exploit, but also HOW THE VULNERABILITY WAS INTRODUCED IN THE FIRST PLACE.
Understanding bugs isn't enough. We need to stop merging them.👇
2/ The hack a mess. Most hacks occur instantly. For Nomad, the bridge was slowly drained over the course of an hour.
This was the first exploit transaction.
It was simple: it interacted directly with the bridge, calling a single function, process().
3/ Looking at process(), this function is responsible for executing cross-chain messages. This function's security is absolutely critical. It is the linchpin of the entire bridge. Every message ends up here.
It must ensure that only valid messages are executed, and only once.
In one of our recent engagements with a customer, we were asked to audit some code which depended on BokkyPooBah's DateTime library. The contract calculates the day of the month from block.timestamp, and it does this to ensure an operation happens only up to once a month.
This wasn't our first seeing BokkyPooBah's DateTime library. Many other projects depend on this code as well. This made me wonder--with a magic looking formula like this, has this code been actually verified? If there were a bug, it would be a vulnerability across many projects.
The function is documented, but if you try to go to the link they cite as a source, it just returns an error. The webpage doesn't exist anymore.