Nomadic Crypto Bridge loses $200 million in ‘messy’ hack

After a few quiet months, it happened again: another blockchain bridge hack with hundreds of millions of dollars in losses.

Nomad, a cryptocurrency bridge that allows users to exchange tokens between blockchains, is the latest bridge to come under attack after Monday’s frenzied attack that left nearly $200 million of its funds drained.

was the hack He confessed By Project Nomad’s official Twitter account on Monday, August 1, initially as an “accident” it was under investigation. In another statement released early Tuesday morning, Nomad said the team was “working around the clock to address the situation” and also notified law enforcement.

In another Twitter thread, samczsun – a researcher at crypto investment firm and Web3 Paradigm – explained that the exploit was made possible by a misconfiguration of the project’s master smart contract that allowed anyone with a basic understanding of the code to pull for themselves.

“This is why the hack was so messy,” Samczon wrote. “[Y]She didn’t need to know more about Solidity, Merkle Trees, or anything like that. All you have to do is find a successful transaction, find/replace the other person’s address with yours, and then rebroadcast it.”

Another posthumous report from blockchain security audit firm CertiK noted that this dynamic created its own impetus, as people who saw funds stolen using the above method were able to exchange their own addresses to repeat the attack. This led to what one Twitter user said described as “The first decentralized crowd looting of a 9-digit bridge in history.”

On a more optimistic note, Nassim Eldakwik, CISO Crypto at Andreessen Horowitz, suggested that funds could be recovered from “preemptively drained Whitehats,” although the identities of those who got the money from Nomad appear largely unknown.

Blockchain bridges are now routinely targets of most notable hacks in the cryptocurrency industry due to the great value of the assets they often hold and the complexity (and thus potential weakness) of the smart contract code they run on. This year, only a hacker made nearly $1 billion in stolen money: in February, the Wormhole Bridge platform was hacked for $325 million after a hacker discovered and exploited an error in open source code uploaded to GitHub. Then, in March, a hacker stole about $625 million from the Ronin blockchain, which forms the basis of Axi Infinity Encoder game.

“Protecting cross-chain bridges from lucrative attacks like this is one of the most pressing issues facing the Web3 community,” said Professor Ronggui Guo, CEO and co-founder of CertiK. “Their security posture should be ironclad, as many new developments in Web3 security will be sorely needed.”

Leave a Reply

%d bloggers like this: