35 / Nomad hack

Exploring the recent hack on Nomad and discussing the transaction malleability issue in the world of cryptocurrency. Tune in to find out what happened to Nomad and what this means for the future of blockchain security.

Timeline

00:00 Intro

00:48 Nomad hack announcement

05:28 What is transaction malleability?

07:49 Why bridges hacked and not L1?

08:06 Let's see if we can find the code

10:06 Use transaction to find the contract

11:19 Spam opportunity to find ppl that got hacked

11:41 The source code

12:45 Founders can rugpull this

13:58 Upgradable contracts slow incident response

Badges

Episode notes

Edit these notes…

Used to be one-hack-a-week rhythm, but slowed down
Now we’re back with Nomad
- https://twitter.com/fulldecent/status/1554597775412805633 The contract address
- Addressed with a16z crypto security team (former leaders of Facebook’s Novi wallet)
https://twitter.com/nomadxyz_/status/1554246853348036608
- Transaction malleability (replayable)
  - Malleability (maybe TX is signed but then can be changed BUT the original or changed version can only be used once so there is one “nullifier”)
    - Read the GM17 paper to see more on this
  - Cryptographic non-injuction
- Almost impossible to find the smart contracts on etherscan
- Why doesn’t the Nomad website:
  - Mention that the contracts are upgradeable
  - Share the actual addresses of their live contracts
- It does (quietly in the docs): https://docs.nomad.xyz/operational-security/contracts
- Nomad docs about governance
Nomad’s contracts on Github