Nomad is a cross–chain bridge created for the safe transfer of tokens between different blockchains and the use of tokens in various networks. Also, Nomad gives developers the opportunity to create cross-chain applications (xApps) based on this bridge.
No matter how Nomad praises its high security, everything is subject to hacking. On the first of August, reports began to appear on the network that an exploit was found in bridge. That vulnerability allowed many users to steal various tokens worth more than $150 million.
Foobar (@0xfoobar), a developer, writer, and auditor, was one of the first important people in the crypto industry to notice this problem. He created a thread on Twitter, where he shared screenshots with transaction records.
After a while, an explanation of the exploit also appeared. Details of the attack were provided to the public by Samczsun (@samczsun) — a researcher in the crypto investment firm Paradigm.
According to samczsun, this attack is “one of the most chaotic hacks that Web3 has ever seen.” According to the investigation conducted by samczsun, the reason for the attack was a line of code in the Replica contract. And it was that, that led to the appearance of the exploit — “effect of auto-proving every message.”
It’s hard to say whether this exploit was intentionally found or someone accidentally opened it, but after users found out about its existence, money began to flow out of bridge extremely quickly. After all, in order to steal funds, it was enough for any user to simply “find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”
The attack caused chaos because so many users took advantage of the exploit. The chaotic nature of the attack became a cause for jokes. For example, such as FatMan (@FatManTerra) — cryptocurrency and finance researcher.
FatMan also actively participated in the discussion of the attack and shared an interesting message from a user who used the exploit, but promised to return the funds.
To return the funds, Nomad published the wallet address on the main page of their site, in hope that some of the lost funds would be returned. For a return of funds, Nomad promises up to 10% of the stolen amount to those who return more than 90% of the stolen.
As history of evolution of not only blockchain, but also computer technology in general shows, there is nothing that cannot be hacked. Therefore, be careful with your assets. We continue to observe.