The word of the week is chaos. From a first-of-its-kind decentralized looting mob destroying Nomad to the mysterious draining of more than 8K Solana wallets, it's been a crazy week. Sadly, there is more.
Welcome to I, Degen - We track down and explore the most exciting crypto hacks, mysteries, exploits, and anything that feeds our crypto curiosity each week. We dig in, cutting through the misinformation and hype in search of signal from the noise.
Episode Summary
The word of the week is chaos. From the first-of-its-kind decentralized looting mob destroying Nomad to the mysterious draining of more than 8K Solana wallets, it’s been a crazy week. Sadly, there is more.
What is Nirvana? Buddhist state of bliss? Iconic 90’s band? Nope in this context, Solana Based Yield Protocol (what even is a ‘yield protocol’?). Also, a stablecoin.
@Huntfrye Nirvana Finance, a Solana-based yield protocol. Nirvana allowed users to earn annual yields on their locked assets by creating and destroying tokens based on user demand as the ANA tokens were bought from and sold to the protocol.
Looks pretty similar to some other algorithmic coins that rebase or change supply daily due to demand
Is this Similar to the Beanstock flash loan attack we talked about on I Degen a few episodes back?
Hacked for 3.5 MM using FlashLoans
What’s a Flash Loan?
The loans enable merchants to obtain unsecured loans from lenders using smart contracts in place of intermediaries. No collateral is required because the contract only considers the transaction complete when the borrower pays the lender.If a borrower fails to repay a flash loan, the smart contract will halt the transaction and repay the lender’s money. – DeFi Planet
I, Degen - Deep Dives
1) Nomad looted for 190MM by a decentralized mob
What is Nomad? Nomad is a bridge that allows you to move assets from chain to chain, such as avalanche, Ethereum, Moonbeam, EVMOS, and Milkomeda. “Wow I haven’t even heard of a couple of those”
What happened? TLDR; ~190 MM, ~2.5 Hours, Initial TX exploiting the bridge, then a swarm of copycats loot the protocol.
Hunt: why not take it all at once? Good question. Zak: let’s talk about how the hack worked.
How did it happen?
Bridge stores funds - deposit ETH, receive XYZ on Moonbeam
Merkel Tree used to validate cross-chain transactions
After a failed first attempt (costing $350k in gas), the original attacker’s exploit tx, which was copied by those that followed, was able to call the process() function directly, without having first ‘proved’ its validity. rekt.newsThis meant any process() calls could be executed as valid. In fact, a more sophisticated exploiter could have written a contract to drain the whole bridge for themselves.
Initial reports claim the root of the issue was called out in the audit; however, that seems incorrect. Perhaps it was the audit the led the attacker to look at this section of the code. Still, the vulnerability that was exploited appears to have been introduced to the repository on May 23rd and then pushed to the blockchain with an update in June.
DeFi Dominos
The collateral damage from the unbacked assets is also severely affecting the chains that depended on Nomad. Moonbeam, EVMOS and Milkomeda have all taken a significant hit to their TVLs. rekt.news
Hunt: The most interesting and crazy part about this hack to me was that other people noticed the hack going on in real-time, joined in the fun, and were able to withdraw funds. Whether these other users who were getting in on this honey pots were White Hats and trying to take some of the funds before the attacker could, or were they maliciously trying to steal for themselves? Nomad has placed an address on their home page asking for any white hats to return funds to a specific address.
Did you see that meme floating around Twitter? It was a bunch of people looting a stoor who were the copycat hackers after the main attacker busted into the store initially.
2) Solana Wallet Hack
What is Solana? @Huntfrye Solana is an extremely well-funded alternate layer 1 that boasts as one of the main competitors to Ethereum. Most people agree that Solona has sacrificed some of the decentralization and security to provide extremely high throughput.
What happened? Roughly 9K addresses on the Solana network were compromised, draining more than 6MM worth of various tokens. For perspective, there are more than 25MM addresses on Solana as of this writing.
11PM UTC on August 2nd, 2022, SOL and USDC started mysteriously being transferred from wallets.
A host of wild theories spread across crypto twitter including from a Solana Founder himself.
An on-chain sleuth would later reveal that Sentry, a third-party event logging platform connected to Slope, was doing just that.
‘whitehat’ tries to DDoS attacker
attempts to dox hacker with NFT image trick - psyops or legit?
Samczsun - Legendary whitehat, posts form to collect info and solve the puzzle
Various calls to point out, ‘it’s not an issue with Solana blockchain itself!’. Sure, but in a certain context that distinction doesn’t matter.
Hunt thoughts overall: Details are still coming to light on this hack, but it does not seem like it was an issue with the Solana blockchain itself but more a problem with hot wallets, including Phantom, Slope, and TrustWallet. While Slope wallet claims on its website that they are a “non Custodial Wallet and that slope wallet does not store your mnemonic seed phrase.”
White hats even tried DDOS attacking the Solana chain to slow down the attacker from draining wallets.
Human Perspective:
One fascinating thing that stands out to me about this attack is the lack of quick or immediate resolution. The mystery. New legends are born. The race to a solution.
Attacker side - Imaging trying to pick when to execute this attack - let’s say you have a backdoor, each day, more funds are being added to vulnerable wallets, but there is a risk that someone will discover your backdoor.
Victims - Utter frustration. Probably feeling like they did everything right, “not your keys, not your coins,” but then they get owned.
I, Degen - Freestyle Convo Zak: Who lied and where is proof? Are you sure it’s not ignorance - IE devops enabled logging and forgot to turn it off, OR hacker enabled logging with intent to steal?
Either way, indeed Slope is responsible, it’s their app and network. Either way, this comment is especially toxic and based on assumptions that may or not be correct. Maybe wait for full before encouraging your 200K followers to be enraged?
Zak: No. This doesn’t have to happen, and it’s not good for crypto. Only in a perfect world can this can be ‘handled correctly.’ We still see SQL injection vulns in significant platforms in 2022. The idea that because an exploit happens, it will make any/all future code/systems better is hopium at best. This kind of misguided banter does nothing but harm the overall ecosystem by setting up a false narrative.
I, Degen - What’s the most creative way we almost got owned this week?
Hunt: Well, mine is interesting because I know they were trying to own me, but I am not sure how the scam worked. I got airdropped a random NFT; then all the sudden got a 1.1 ETH offer on that NFT that I was airdropped. When I looked at the collection, there were ZERO sales, and floor price was at zero ETH. I am not sure how the sale would be malicious, but I am pretty sure that one is too good to be true. How do you think they were trying to get me?
Zak: private key scam on Twitter. They a private key claiming they don’t know how wallets work in hopes that you will load up the key in an attempt to steal the tokens. Then you notice there is no ETH for gas, so you send ETH. But, it’s a smart contract wallet with a function to transfer incoming ETH out immediately. So, you get rekt for trying to steal.
We do our best to report accurately on the topics we discuss but we won’t always get everything correctly. Please comment here or reach out to us @idegenfm with corrections or comments!
