Nomad Docs
  • Nomad 101
    • Funds Recovery
    • Introduction
    • Our Mission
    • Getting Started
  • The Nomad Protocol
    • Overview
    • Cross-chain Messaging
      • Lifecycle of a Message
    • Verification Mechanisms
      • Background on Verification
      • Native Verification
      • External Verification
      • Optimistic Verification
      • Comparing Mechanisms
    • Security
      • Root of Trust
        • Fraud
          • Optimistic Timeout Period
          • Fraud Recovery
        • App-Governed Root of Trust
        • Liveness Assumptions
      • Attack Vectors
        • Key Compromise
        • Economic Attacks
        • Smart Contract Bugs
      • Long-Term Security
        • Permissionless Watchers
        • Financial Controls
        • Cross-Domain MEV
    • Smart Contracts
      • Home
      • Replica
      • XAppConnectionManager
    • Off-chain Agents
      • Updater
      • Watchers
      • Relayer
      • Processor
  • Token Bridge
    • Overview
    • How to Bridge
      • Using Etherscan
      • Nomad Bridge App
      • Testnet Bridge App
    • Asset Issuers
      • Custom Representations
    • Deployed Tokens
      • Mainnet
      • Testnet
    • Smart Contracts
      • BridgeRouter
      • TokenRegistry
      • BridgeToken
      • BridgeMessage
    • Architecture
    • FAQ
  • Governance Bridge
    • Overview
    • Zodiac: Nomad Module
    • Smart Contracts
      • NomadModule
    • Architecture
  • Developers
    • Quickstart
      • Send Messages
      • Receive Messages
    • Environments
      • Domain (Chain) IDs
    • Application Developers
      • Building xApps
      • SDK
        • Contracts SDK
        • Typescript SDK
      • Examples
        • Ping Pong
        • Example Bridge GUI
        • xApp Example
      • Advanced
        • Router Pattern
    • Node Operators
      • Running Agents Guide
        • Troubleshooting
      • Running a Watcher
      • Agent Operations
      • Agent Gas Values
      • The Keymaster
    • Core Developers
      • Upgrade Setup
      • Deploying Contracts
        • Development
        • Production
  • Operational Security
    • Audits
    • Bug Bounty
    • Governance
    • Contracts
    • Agent Operations
  • Resources
    • Awesome Interoperability
    • Brand Kit
    • FAQ
    • Glossary
    • GitHub
    • Discord
    • Twitter
    • Website
Powered by GitBook
On this page
  • How They Work
  • Defense
  1. The Nomad Protocol
  2. Security
  3. Attack Vectors

Smart Contract Bugs

PreviousEconomic AttacksNextLong-Term Security

Last updated 2 years ago

The third set of attacks we've seen on interoperability protocols are those exploiting smart contract vulnerabilities. Unlike key compromise and economic attacks however, smart contract bugs do not explicitly target the root of trust — meaning they do not attempt to take control of keys.

Rather, they find holes in the application or networking logic that were enshrined on-chain. A perfect example of this was , where the attacker exploited faulty smart contract code that allowed them to mint 120,000 WETH on Solana without escrowing the necessary collateral on the Ethereum side.

How They Work

Smart contract vulnerabilities, like economic attacks, are myriad. Anytime logic interacting with user funds is deployed on-chain, it has the potential to introduce unintended behavior. As such, we've seen a range of smart contract vulnerabilities over time which eventually become well understood, like .

At their core, smart contract hacks involve hackers exploiting logic that does something different from what the app developer intended. The most severe outcome is the loss of all funds the contracts manage. Rather than enumerate the different categories of smart contract bugs here, we will point you to .

Defense

Smart contract bugs are unfortunately incredibly common, and the only way to defend against them is to follow established and safe patterns, thoroughly test code, get multiple audits, and then pray that nobody missed anything.

Unfortunately, whenever on-chain logic begins interacting with and custodying significant value, one must expect hackers to comb through the code looking for vulnerabilities. Rather than repeating what many security experts have said here, we will point to .

In the context of interoperability, we need to ensure that both the messaging passing layer, as well as any cross-chain applications like token bridges have been thoroughly tested and audited by developers. In the case of Nomad, all of our smart contracts have been fully, and we also have paying out $1M for critical vulnerabilities.

the Wormhole exploit
re-entrancy attacks
this list of known attacks compiled by Consensys
OpenZeppelin's documentation
audited by Quantstamp
ImmuneFi bug bounties