People Get Mad, Thanks To Nomad: $190 Million Bridge Exploit
More than $190 million in various tokens has vanished due to an exploit in the cross-chain bridge Nomad.
Nomad is a cross-chain bridge created for the safe transfer of tokens between different blockchains and the use of tokens in various networks. Also, Nomad gives developers the opportunity to create cross-chain applications (xApps) based on this bridge.
No matter how Nomad praises its high security, everything is subject to hacking. On August 1, reports began to appear on the network that an exploit was found in bridge. That vulnerability allowed many users to steal various tokens worth around $190 million.
Foobar (@0xfoobar), a developer, writer, and auditor, was one of the first in the community to notice this problem. He created a thread on Twitter, where he shared screenshots with transaction records.
After a while, an explanation of the exploit also appeared. Details of the attack were provided to the public by Samczsun (@samczsun) — a researcher of the crypto investment firm Paradigm.
Samczsun describes this attack as “one of the most chaotic hacks that Web3 has ever seen.” According his investigation, a routine upgrade in the bridge's code left a default parameter that allowed anyone to re-send old transactions with new addresses.
The first transaction, drained 100 WBTC from the bridge ($2.3 million). After users found out about the first attack, the fund began to flow out of bridge quickly. After all, in order to steal funds, it was enough for any user to simply “find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”
The attack caused chaos because many users took advantage of the exploit. The chaotic nature of the attack became a cause for jokes. For example, such as FatMan (@FatManTerra) — cryptocurrency and finance researcher.
FatMan also actively participated in the discussion of the attack and shared an interesting message from a user who used the exploit, but promised to return the funds.
To return the funds, Nomad published the wallet address on the main page of their site, in hope that some of the lost funds would be returned. For a return of funds, Nomad promises up to 10% of the stolen amount to those who return more than 90% of the stolen.
Nomad Bridge Hack
It its post-mortem post, Nomad team gave the date of the infamous update - June 22.
Between this date and the date of the attack, Nomad disclosed participants of its April $22.4 million seed round. Those included Coinbase Ventures, OpenSea, Crypto.com Capital, Wintermute, Gnosis, Algaé, and Polygon.
“Nomad’s optimistic security model is the gold standard for trust-minimized cross-chain communication,” said Pranay Mohan, CEO and co-founder of Nomad. “Our team is comprised of some of the most renowned experts in the interoperability space, and their work is bringing us closer to a world where cross-chain communication can be done securely and cost-efficiently.”
"With more than $1.5 billion stolen this year by hackers exposing vulnerabilities in cross-chain bridges, the industry is in need of security-first solutions that maximize the safety of users, funds, and messages." said the announcement.
Members Discussion