Nomad Docs
  • Nomad 101
    • Funds Recovery
    • Introduction
    • Our Mission
    • Getting Started
  • The Nomad Protocol
    • Overview
    • Cross-chain Messaging
      • Lifecycle of a Message
    • Verification Mechanisms
      • Background on Verification
      • Native Verification
      • External Verification
      • Optimistic Verification
      • Comparing Mechanisms
    • Security
      • Root of Trust
        • Fraud
          • Optimistic Timeout Period
          • Fraud Recovery
        • App-Governed Root of Trust
        • Liveness Assumptions
      • Attack Vectors
        • Key Compromise
        • Economic Attacks
        • Smart Contract Bugs
      • Long-Term Security
        • Permissionless Watchers
        • Financial Controls
        • Cross-Domain MEV
    • Smart Contracts
      • Home
      • Replica
      • XAppConnectionManager
    • Off-chain Agents
      • Updater
      • Watchers
      • Relayer
      • Processor
  • Token Bridge
    • Overview
    • How to Bridge
      • Using Etherscan
      • Nomad Bridge App
      • Testnet Bridge App
    • Asset Issuers
      • Custom Representations
    • Deployed Tokens
      • Mainnet
      • Testnet
    • Smart Contracts
      • BridgeRouter
      • TokenRegistry
      • BridgeToken
      • BridgeMessage
    • Architecture
    • FAQ
  • Governance Bridge
    • Overview
    • Zodiac: Nomad Module
    • Smart Contracts
      • NomadModule
    • Architecture
  • Developers
    • Quickstart
      • Send Messages
      • Receive Messages
    • Environments
      • Domain (Chain) IDs
    • Application Developers
      • Building xApps
      • SDK
        • Contracts SDK
        • Typescript SDK
      • Examples
        • Ping Pong
        • Example Bridge GUI
        • xApp Example
      • Advanced
        • Router Pattern
    • Node Operators
      • Running Agents Guide
        • Troubleshooting
      • Running a Watcher
      • Agent Operations
      • Agent Gas Values
      • The Keymaster
    • Core Developers
      • Upgrade Setup
      • Deploying Contracts
        • Development
        • Production
  • Operational Security
    • Audits
    • Bug Bounty
    • Governance
    • Contracts
    • Agent Operations
  • Resources
    • Awesome Interoperability
    • Brand Kit
    • FAQ
    • Glossary
    • GitHub
    • Discord
    • Twitter
    • Website
Powered by GitBook
On this page
  • How does Nomad Recover?
  • Block Further Fraud
  • Erase Past Fraud
  • Restore the Channel
  1. The Nomad Protocol
  2. Security
  3. Root of Trust
  4. Fraud

Fraud Recovery

PreviousOptimistic Timeout PeriodNextApp-Governed Root of Trust

Last updated 2 years ago

The ideal scenario is that fraud never happens. In the event that it does however, Nomad has a built-in mechanism via the to prevent it. Once fraud has been prevented, the system will need to be recovered and set back into normal operations. This section covers that process from a high level.

Post-fraud, the state on-chain is as follows:

  • The where fraud was flagged is in the FAILED state. This means that the Home can no longer accept new Updates.

  • Replicas are un-enrolled in the xAppConnectionManager for all xApps. Replicas CAN accept new Updates, but message processing is paused for all xApps.

How does Nomad Recover?

When Fraud has occurred, there are three main categories of action that must be taken to recover the channel:

Note: In this document, Fraud Recovery is defined / considered within the context of one single Updater’s lifecycle.

Block Further Fraud

being detected implies that Updater is either malicious, compromised, or (unfortunately) the victim of a large re-org on the origin chain. In any case, the Updater must be removed from their position of power, in order to prevent them from submitting any further fraudulent Updates in the future.

Home

  • The Home is in a FAILED state, and the fraudulent Updater can no longer submit any Updates

  • Therefore, further Fraud from this Updater is automatically blocked

Replica

  • The Updater can keep submitting Updates indefinitely while they still hold the Updater role

  • In order to block ongoing fraud attempts from a malicious Updater, they must be un-seated from their privileged role

  • This must be done before attempting to erase past fraud; otherwise, there is no definitive cap on the amount of fraudulent state that must be erased

Erase Past Fraud

Home

    • Therefore, “erasing fraud” is irrelevant within the context of the Home

Replica

  • Fraudulent roots CAN be submitted to the Replica at any time

  • Once the Updater has been un-seated from their role, they can no longer continue to submit fraudulent updates

  • Therefore, there is a finite number of fraudulent roots from that Updater which can be present on the Replica

  • In order to restore the integrity of the Replica, Nomad governance must erase fraudulent Updates from all Replicas affected

  • When this is done, the state on the Replica will once again appropriately reflect the state of the Home

  • At this point, processing messages from the Replica is once again safe

Restore the Channel

Once the attempted damage done by a fraudulent Updater has been mitigated, it is safe to allow the system to continue operating. In order to do so, we must rotate the Updater role to a new key, with which the system can have a renewed sense of (optimistic) trust.

Home

  • We must rotate the Updater role to a new, un-compromised public key

  • We must transition the Home contract state from FAILED to ACTIVE

  • This will allow the Home contract to begin to accept Updates from the new Updater, such that the channel can continue operating as normal

Replica

  • Applications must re-enroll the Replica on their xAppConnectionManager contract

  • This will allow processing of messages for the xApp to resume as usual

By definition, fraudulent roots cannot be stored on the Home — data availability on the home guarantees that it will be

As long as a fraudulent root is set in the mapping on the Replica, it is or will soon be possible to attempt to prove messages against it

detected by the smart contract and automatically prevented
confirmAt
optimistic timeout period
Home
Fraud
Block Further Fraud
Erase Past Fraud
Restore the Channel