September 27, 2022


After a few quiet months, it happened again: another blockchain bridge hack with hundreds of millions of dollars in losses.

Nomad, a cryptocurrency bridge that allows users to exchange tokens between blockchains, is the latest to be hit after a frenzied attack on Monday left nearly $200 million of its funds depleted.

The hack was recognized from the Nomad Program’s official Twitter account on Monday, August 1, initially as an “incident” under investigation. In a further statement released early Tuesday morning, Nomad said the team was “working around the clock to address the situation” and had also notified law enforcement.

In another Twitter thread, samczsun — a researcher at crypto investment firm and Web3 Paradigm — explained that the exploit was made possible by a misconfiguration of the project’s main smart contract that allowed anyone with a basic understanding of the code to authorize withdrawals to themselves .

“This is why the hack was so chaotic,” wrote samczsun. “[Y]you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then rebroadcast it.”

A further postmortem by blockchain security audit firm CertiK noted that this dynamic created its own dynamic, where people who saw money stolen using the above method were able to substitute their own addresses to replicate the attack. This led to what a Twitter user described as “The first decentralized crowd looting of a 9-digit bridge in history”.

On a more optimistic note, Nassim Eddequiouaq, crypto CISO at Andreessen Horowitz, suggested that the funds could be recovered from “preemptively depleted whites,” although the identities of those who received the funds from Nomad appear to be in the dark. extent unknown.

Blockchain bridges are now commonly the target of the most high-profile hacks in the cryptocurrency industry due to the large value of assets they often hold and the complexity (and thus potential vulnerability) of the smart contract code they run. This year, just two hacks accounted for nearly a billion dollars in stolen funds: in February, the Wormhole bridge platform was hacked for $325 million after a hacker found a bug in open source code uploaded to GitHub and exploited it. Then, in March, a hacker stole about $625 million from the Ronin blockchain, which forms the basis of Axie Infinity encryption game.

“Protecting cross-bridges from profitable attacks like this is one of the most pressing problems facing the Web3 community,” said Professor Ronghuio Gu, CEO and co-founder of CertiK. “Their security posture needs to be ironclad, and that’s where many of the new developments in Web3 security will be most needed.”





Source link

Leave a Reply

Your email address will not be published.