In the early hours of August 2, Nomad Bridge posted a notice that it was aware of an ongoing exploit. In the following hours, all of the protocol’s funds of more than $190 million were exhausted.
Crypto community developer and white hat ‘samczsun’ broke down the chain of events, explaining what happened. He called the attack “one of the most chaotic hacks Web3 has ever seen.”
1/ Nomad just sold out for over $150 million in one of the most chaotic hacks the Web3 has ever seen. How exactly did this happen and what was the root cause? Let me take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
Nomad is a token bridge for cross-chains between Ethereum, Avalanche, Milkomeda and Moonbeam.
Nomad’s funds ran out
The researchers shared a tweet on the ETHSecurity Telegram channel showing multiple transactions of funds leaving the bridge. At first glance, it looked like it was a misconfiguration of the decimal places, but samczsun discovered:
“However, after some painstaking manual research on Moonbeam’s network, I confirmed that while the Moonbeam transaction bridged 0.01 WBTC, somehow the Ethereum transaction bridged to 100 WBTC.”
What makes this exploit different is that the transactions were not “proved” and executed directly. “Being able to edit a message without proving it first is not good,” said samczsun. The coder did some more digging and found a fatal flaw in the ‘Replica’ smart contract that was initialized during a routine Nomad upgrade.
He added that this was chaotic because crypto thieves didn’t need any technical knowledge. They just had to find a transaction that worked, replace the target address with their own, and relay it.
“A routine upgrade marked the null hash as a valid root, which resulted in allowing message spoofing on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a free-for-all frenzy.”
TVL to zero
Nomad has even discovered fraudulent addresses trying to steal money returned to the bridge.
We are aware of impersonators posing as Nomad and providing fraudulent addresses to collect money. We do not yet provide instructions on returning bridge funds. Ignore comments from all channels except Nomad’s official channel: @nomadxyz_
— Nomad (⤭⛓🏛) (@nomadxyz_) August 2, 2022
According DefiLlamathe total value of Nomad locked has dropped from $190.38 million to $5,336 in the last few hours.
Nomad is the latest token bridge foray this year following the high-profile exploits of Ronin Bridge, Wormhole and Harmony.
Binance Free $100 (Exclusive): Use this link to sign up and get $100 free and 10% off your first month of Binance Futures commissions (terms).
PrimeXBT Special Offer: Use this link to sign up and enter code POTATO50 to get up to $7,000 in your deposits.