After a few quiet months, it happened again: another blockchain bridge hack with hundreds of millions of dollars in losses.
Nomad, a cryptocurrency bridge that allows users to exchange tokens between blockchains, is the latest bridge to come under attack after Monday’s frenzied attack that left nearly $200 million of its funds drained.
was the hack He confessed By Project Nomad’s official Twitter account on Monday, August 1, initially as an “accident” it was under investigation. In another statement released early Tuesday morning, Nomad said the team was “working around the clock to address the situation” and also notified law enforcement.
Update: We are working around the clock to address the situation and have notified law enforcement and retained leading companies in the field of blockchain intelligence and forensics. Our goal is to identify the accounts involved, track and recover funds.
– Nomad (⤭⛓) (nomadxyz_) August 2, 2022
In another Twitter thread, samczsun – a researcher at crypto investment firm and Web3 Paradigm – explained that the exploit was made possible by a misconfiguration of the project’s master smart contract that allowed anyone with a basic understanding of the code to pull for themselves.
“This is why the hack was so messy,” Samczon wrote. “[Y]She didn’t need to know more about Solidity, Merkle Trees, or anything like that. All you have to do is find a successful transaction, find/replace the other person’s address with yours, and then rebroadcast it.”
Another posthumous report from blockchain security audit firm CertiK noted that this dynamic created its own impetus, as people who saw funds stolen using the above method were able to exchange their own addresses to repeat the attack. This led to what one Twitter user said described as “The first decentralized crowd looting of a 9-digit bridge in history.”
On a more optimistic note, Nassim Eldakwik, CISO Crypto at Andreessen Horowitz, suggested that funds could be recovered from “preemptively drained Whitehats,” although the identities of those who got the money from Nomad appear largely unknown.
security team in @a16z Crypto has investigated and found the root cause of nomadxyz_ bridge penetration. There is nothing that can be done at this time except to recover funds from whitehats that have drained preemptively.
We will work with members of the ecosystem to prevent such issues in the future. https://t.co/UpIagMJctQ
– people – nassyweazy.eth (@nassyweazy) August 2, 2022
Blockchain bridges are now routinely targets of most notable hacks in the cryptocurrency industry due to the great value of the assets they often hold and the complexity (and thus potential weakness) of the smart contract code they run on. This year, only a hacker made nearly $1 billion in stolen money: in February, the Wormhole Bridge platform was hacked for $325 million after a hacker discovered and exploited an error in open source code uploaded to GitHub. Then, in March, a hacker stole about $625 million from the Ronin blockchain, which forms the basis of Axi Infinity Encoder game.
“Protecting cross-chain bridges from lucrative attacks like this is one of the most pressing issues facing the Web3 community,” said Professor Ronggui Guo, CEO and co-founder of CertiK. “Their security posture should be ironclad, as many new developments in Web3 security will be sorely needed.”