After a few quiet months, it happened again: another blockchain bridge hack with hundreds of millions of dollars in losses.
Nomad, a cryptocurrency bridge that allows users to exchange tokens between blockchains, is the latest to be hit after a frenzied attack on Monday left nearly $200 million of its funds depleted.
The hack was recognized from the Nomad Program’s official Twitter account on Monday, August 1, initially as an “incident” under investigation. In a further statement released early Tuesday morning, Nomad said the team was “working around the clock to address the situation” and had also notified law enforcement.
Update: We are working around the clock to address the situation and have notified law enforcement and retained leading blockchain intelligence and forensics companies. Our goal is to trace the accounts involved and trace and recover the funds.
— Nomad (⤭⛓ ) (@nomadxyz_) August 2, 2022
In another Twitter thread, samczsun — a researcher at crypto investment firm and Web3 Paradigm — explained that the exploit was made possible by a misconfiguration of the project’s main smart contract that allowed anyone with a basic understanding of the code to authorize withdrawals to themselves .
“This is why the hack was so chaotic,” wrote samczsun. “[Y]you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then rebroadcast it.”
A further postmortem by blockchain security audit firm CertiK noted that this dynamic created its own dynamic, where people who saw money stolen using the above method were able to substitute their own addresses to replicate the attack. This led to what a Twitter user described as “The first decentralized crowd looting of a 9-digit bridge in history”.
On a more optimistic note, Nassim Eddequiouaq, crypto CISO at Andreessen Horowitz, suggested that the funds could be recovered from “preemptively depleted whites,” although the identities of those who received the funds from Nomad appear to be in the dark. extent unknown.
The Security team at @a16z Crypto investigated and found its root cause @nomadxyz_ hacking the bridge. Nothing should be done at this time except to return funds from the white hats that were drained as a precaution.
We will work with the ecosystem members to prevent such problems in the future. https://t.co/UpIagMJctQ
— Nass – nassyweazy.eth (@nassyweazy) August 2, 2022
Blockchain bridges are now commonly the target of the most high-profile hacks in the cryptocurrency industry due to the large value of assets they often hold and the complexity (and thus potential vulnerability) of the smart contract code they run. This year, just two hacks accounted for nearly a billion dollars in stolen funds: in February, the Wormhole bridge platform was hacked for $325 million after a hacker found a bug in open source code uploaded to GitHub and exploited it. Then, in March, a hacker stole about $625 million from the Ronin blockchain, which forms the basis of Axie Infinity encryption game.
“Protecting cross-bridges from profitable attacks like this is one of the most pressing problems facing the Web3 community,” said Professor Ronghuio Gu, CEO and co-founder of CertiK. “Their security posture needs to be ironclad, and that’s where many of the new developments in Web3 security will be most needed.”