Nomad Cross-Chain Bridge Suffers $190 Million Exploit in a Copy-Paste Attack

[TL; DR]

Heists continue to ravage the crypto world, with reports of digital currency firms losing large sums to thefts and attacks seemingly every month. While crypto exchanges were once the main focus of attacks, Blockchain bridges now appear to be the new target for hackers.

After being audited on August 1, 2022, the cross-chain bridge Nomad suffered a cyber threat that resulted in the loss of $190 million in cryptocurrency funds. The report said that On Monday, Nomad was attacked, and hackers made away millions of dollars from the protocol. However, Nomad has become the most recent victim of the nine-figure hack on crypto and is also noted as the third largest in 2022.


Over $190 Million was Siphoned From Nomad.

---

Cross-chain Bridges are the frameworks that enable users to swap assets between several blockchains, the digital ledger that powers the majority of the world's cryptocurrencies. A bridge service "wraps" the currency when it exchanges one token for another so that it may operate on the other blockchain. These bridges "wrap" the tokens by enclosing them in smart contracts. Meanwhile, if the smart contracts protecting the core tokens get hacked, the wrapped tokens lose their backing, which means they will have no value or worth.

Notably, DeFi protocols like cross-chain bridges store large sums of liquidity, thereby making them a prime target for hackers. This is exactly the case with Nomad, a token bridge for cross-chain transactions between Ethereum, Avalanche, Milkomeda, and Moonbeam.

Just Last week, the company announced it was able to raise US$22.4 million in initial capital at a US$225 million valuation earlier this year after participating in a seed fund with other top brands in web3.0: Coinbase Ventures, OpenSea, Polygon, Crypto.com, Wintermute, and Gnosis. Unfortunately, it was not long before Nomad fell prey to cyberhackers.

The Popular cryptocurrency firm, Nomad, suffered a bridge hack, according to news reports and tweets on the Nomad site itself. The first illicit transaction happened at 11:30 p.m. CET, with 100 wrapped Bitcoin worth $2.3 million suddenly removed from Nomad. Nomad confirmed via Twitter that hackers had exploited the bridge, and in the early hours of August 2, Nomad bridge made a tweet, alerting that it was aware of an ongoing exploit. Two hours later, almost the entire protocol's funds of more than $190 million were siphoned.


'samczsun,' a white hat and developer in the crypto community, broke down the events that happened during the attack and provided a detailed explanation through a Twitter thread. He described the attack as "one of the most chaotic attacks that Web3 has ever seen". Hackers took advantage of Nomad's vulnerabilities and plundered more than $190 million in assets.


How was Nomad hacked?

---

News of the attack came in the ETHSecurity Telegram channel when some researchers shared a tweet showing multiple transactions of money leaving the bridge. It seemed to be a token decimal setup error until Samczsun reported on Twitter: "However, after some painful manual digging on the Moonbeam network, I confirmed that while the Moonbeam transaction did bridge out 0.01 WBTC, somehow the Ethereum transaction bridged in 100 WBTC."

Further investigation by the developer revealed a fatal weakness in the "Replica" smart contract, which had started during a normal Nomad upgrade. He continued that this was chaotic because the crypto fraudsters did not need technical expertise. All they had to do was locate a successful transaction, swap out the destination address with their own, and rebroadcast it.

"A routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all", Samczsun stated.

Obviously, the smart contract contained a catastrophic error. Oxfoobar, DeFi, and NFT founder, also discovered the smart contract security flaw and gave his report that; During a routine upgrade, the team mistakenly declared the zero root (0x00) as an acceptable root when they called the `initialized()` function. The zero roots made it possible for every message to be automatically verified by default.

Nonetheless, opportunists exploited the flaw after learning about the potential for more attacks, copied the hacker's transaction details, updated the original address to their addresses, and cleverly withdrew money. The exploit is simple to duplicate, which explains why it is the most chaotic attack.


NOMAD SUFFERS LOSS

---

According to DefiLlama, Nomad's Total Value Locked (TVL) has drastically crashed from $190.38 million to $5,336 over the few hours. Apart from wrapped Bitcoin and wrapped Ether (wETH), other stolen assets included USDC and DAI.

This is indisputably one of the most chaotic crowd looting attacks in DeFi history. The strange thing about this exploit is that hundreds of wallets were receiving payments from the Nomad bridge in a total of over one million USDC consistently. Sources have it that some of the users were "whitehats." Hence, when they noticed it was an attack, they quickly saved the funds and returned them once everything was under control. However, users who withdrew the funds after the system was disrupted probably got to keep the stolen assets.

While a few of those exploiters have claimed credit and promised to restore their money, the huge bulk of the money has already been lost.


Reactions After The Hack

---

The Nomad bridge company posted on Twitter on Monday evening that it was "aware of impersonators acting as Nomad and providing fraudulent addresses to collect funds." Later, the community received another tweet from Nomad on Tuesday saying, "Thank you to our many white hat friends who acted proactively and are safeguarding funds. Please continue to hold them until we provide further instructions on this thread."

Nomad later confirmed in an August 2 tweet that it was "working around the clock to address the situation and [had] notified law enforcement and retained leading firms for blockchain intelligence and forensics." They added, "Our goal is to identify the accounts involved and trace and recover the funds."

The Nomad bridge has been suspended following the attack, according to the official Nomad Twitter thread. The team revealed that they are working with law enforcement to probe the event further.

To wit,

"We are aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds. We are not yet providing instructions to return bridge funds. Disregard comms from all
channels other than Nomad’s official channel: @nomadxyz_”


There are vivid speculations that some of the cash was retrieved by white hat hackers to secure them.

The event is currently under investigation, and the hacked project hasn't released any more explanation. Moreover, several crypto experts have given their workable opinions concerning this incident;

According to Chris Cleveland, the founder, and CEO of PIXM, the Nomad incident warns how far cryptocurrency platforms in general and cross-chain bridges still need to advance in terms of security. He said, "We are seeing and monitoring crypto-related phishing and other cyberattacks every day, and they are getting more sophisticated and require users to exercise more caution than ever."


conclusion

---

The rising incidence of bridge attacks only adds to security and trust concerns in the crypto industry. The fact that blockchain is decentralized makes it quick to defend.

However, since both the protocols and the software were all made by individuals, it is possible that there are vulnerabilities.


Author: Gate.io Observer: M. Olatunji
* This article represents only the views of the observers and does not constitute any investment suggestions.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.