The cross-blockchain token bridge Nomad was attacked Monday and attackers were able to drain it of almost all of its funds, it was revealed today.
The attack hack stole about $190 million worth of cryptocurrencies from the bridge during the duration of the hack.
Nomad acts as a generalized protocol to allow users to send and receive cryptocurrency tokens between different blockchains. The attack comes as part of an ongoing trend where hackers have targeted these “bridges” with exploits and drained them of their funds.
Bridges operate by “wrapping” tokens on one network after freezing them on another through the use of smart contracts. By freezing them on the genesis blockchain, the bridge allows the value of the token to be transferred from one blockchain to another so that the same token is not duplicated between the two chains.
1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
A routine upgrade to the Nomad protocol allowed the entire event to go down, Samczsun, a researcher at Paradigm, a cryptocurrency investment company, said on Twitter. A minor error in a Solidity smart contract allowed every message sent to be auto-authorized, meaning anyone could spoof transactions on Nomad.
“A routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad,” Samczsun said. “Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all.”
Upon discovering the exploit, attackers quickly fell upon the bridge in a frenzy. Unlike other hacks where only one attacker drained a bridge in one single attack, this exploit took place over a matter of hours with multiple small transactions.
The entire episode saw Wrapped Bitcoin (WBTC), Wrapped Ether (WETH), USD Coin (USDC), Frax, Covalent Query Token (CQT), Dai, Saddle DAO (SDL) and many more different types of tokens drained from the bridge.
The attack on Nomad is the sixth in a long string of hacks against bridges in 2022. According to a June report from research firm Elliptic, over $1 billion was stolen from token bridges in the first half of 2022, including a staggering $540 million heist of the Ronin bridge in March, the network behind the popular “Axie Infinity” crypto game.
What makes bridges so vulnerable? According to Elliptic, it’s a mixture of a number of reasons including their high store of liquid tokens needed to keep the bridge running, lack of decentralization and finally the speed of innovation in crypto leaving too many services open to security issues.
This exploit hits Nomad at a time shortly after the company revealed the full list of investors from its $22 million seed funding round in April, including Coinbase Ventures, Crypto.com Capital, Polygon, OpenSea and others. The company promotes itself as a “security-first cross-chain messaging solution” with an “optimistic security model.”
In the wake of the attack, Nomad said on Twitter that it is working with law enforcement and is “retaining leading firms for blockchain intelligence and forensics.”
“Our goal is to identify the accounts involved and to trace and recover the funds,” the company said.
The company also claimed that some of the attackers taking funds from the bridge were “white hat friends” who were acting proactively to “safeguard funds” and asked that they continue to hold them until the company could provide instructions on how to return them safely.