Nomad, a cross-chain bridge lost $200 million (roughly Rs. 1,570 crore) in what security researchers are calling a ‘free for all’ exploit. Unlike conventional attacks, where one culprit is responsible for the exploit, Nomad’s case was different. Sam Sun, a Paradigm researcher has explained that a recent update to a Nomad smart contract made it convenient for users to spoof transactions and withdraw funds from the bridge, which originally did not belong to them. As per Sun, this is one of the most chaotic exploits to have happened in the Web3 sector so far.
Nomad allows users to send and receive cryptocurrencies between different blockchains. Cross chain bridges like Nomad, typically lock tokens in a smart contract on one chain and reissue these tokens in ‘wrapped’ form on another chain.
In Nomad’s case, a smart contract where tokens were initially deposited was sabotaged making way for exploiters to act.
“This is why the hack was so chaotic — you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it,” Sun wrote as part of his Twitter thread, decoding the dynamics of the exploit on Nomad.
12/ tl;dr a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all
— samczsun (@samczsun) August 2, 2022
While the cross-chain bridge has not issued media statements on the incident, it has posted a tweet acknowledging that it is aware of the case.
We’re aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds. We aren’t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad’s official channel: @nomadxyz_
— Nomad (⤭⛓🏛) (@nomadxyz_) August 2, 2022
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022
Nomad’s detailed response on the incident remains awaited.
Bridges have become a popular element of the cryptosphere now that more people have begun swapping assets between different blockchains.
These blockchain bridges have caught the attention of hackers, who are constantly looking at ways to exploit them.
In March, a hack attack on Axie Infinity’s Ronin bridge depleted a whopping $625 million (roughly Rs. 4,729 crore) from the Sky Mavis gaming company. The Ronin Network, designed by Axie Infinity developer Sky Mavis, acts as a bridge between the video game and the blockchain, allowing cryptocurrencies to be transferred in and out of the game.
Back in February, the Wormhole Portal, that allows people to switch from one cryptocurrency to another, also suffered a breach and lost $322 million (roughly Rs. 2,410 crore) worth of Ether.