September 29, 2023

In the early hours of August 2, Nomad Bridge posted a notice that it was aware of an ongoing exploit. In the following hours, all of the protocol’s funds of more than $190 million were exhausted.

Crypto community developer and white hat ‘samczsun’ broke down the chain of events, explaining what happened. He called the attack “one of the most chaotic hacks Web3 has ever seen.”

Nomad is a token bridge for cross-chains between Ethereum, Avalanche, Milkomeda and Moonbeam.

Nomad’s funds ran out

The researchers shared a tweet on the ETHSecurity Telegram channel showing multiple transactions of funds leaving the bridge. At first glance, it looked like it was a misconfiguration of the decimal places, but samczsun discovered:

“However, after some painstaking manual research on Moonbeam’s network, I confirmed that while the Moonbeam transaction bridged 0.01 WBTC, somehow the Ethereum transaction bridged to 100 WBTC.”

What makes this exploit different is that the transactions were not “proved” and executed directly. “Being able to edit a message without proving it first is not good,” said samczsun. The coder did some more digging and found a fatal flaw in the ‘Replica’ smart contract that was initialized during a routine Nomad upgrade.

He added that this was chaotic because crypto thieves didn’t need any technical knowledge. They just had to find a transaction that worked, replace the target address with their own, and relay it.

“A routine upgrade marked the null hash as a valid root, which resulted in allowing message spoofing on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a free-for-all frenzy.”

TVL to zero

Nomad has even discovered fraudulent addresses trying to steal money returned to the bridge.

According DefiLlamathe total value of Nomad locked has dropped from $190.38 million to $5,336 in the last few hours.

Nomad is the latest token bridge foray this year following the high-profile exploits of Ronin Bridge, Wormhole and Harmony.

SPECIAL OFFER (Sponsorship)

Binance Free $100 (Exclusive): Use this link to sign up and get $100 free and 10% off your first month of Binance Futures commissions (terms).

PrimeXBT Special Offer: Use this link to sign up and enter code POTATO50 to get up to $7,000 in your deposits.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *