Nomad Bridge Drained of Nearly $200M in Massive Copy-Paste Hack
Nomad cross-chain bridge has suffered a massive exploit that led to the theft of nearly $200 million worth of crypto assets. The attack was unlike other bridge exploits, with some speculators calling it “one of the most chaotic hacks” in the history of Web3.
Nomad Bridge Losses $190.7M in Exploit
As a cross-chain bridge, Nomad allows users to transfer digital assets between blockchains such as Ethereum, Avalanche, and Moonbeam.
The hack was first confirmed in the early hours of August 2, 2022. At the time, the Nomad team revealed they were aware of the attack and investigations were ongoing.
The attackers moved $190.7 million worth of assets from the protocol, but Nomad said some white hat hackers intentionally withdrew some funds for safekeeping. If that’s true, the protocol will likely recover some assets, although the amount remains unknown.
A white hat who managed to withdraw about $3.4 million said they plan to return the assets to Nomad.
Analysts in the ETHSecurity Telegram channel first identified the hack. The researchers noticed a large volume of assets leaving the Nomad bridge. According to popular crypto community manager and white hat “samczsun,” the transactions initially appeared to be a misconfiguration in the token’s decimals.
“After all, it seemed as though the bridge was running a “send 0.01 WBTC, get 100 WBTC back” promotion,” samczsun said.
However, after further investigation, the coder discovered that it was, in fact, not a misconfiguration but an exploit because while the transaction on Moonbeam bridged out 0.01 WBTC, the Ethereum transaction bridged in 100 WBTC.
A Copy and Paste Attack
Unlike other bridge hacks, the Nomad bridge was open for all to exploit. The white hat said he found a fatal flaw within the Replica contract, adding that a routine update on one of Nomad’s smart contracts allowed users to replicate transactions in the protocol.
“This is why the hack was so chaotic — you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it,” samczsun said.
The affected crypto assets include, among others, WBTC, Wrapped Ether (WETH), Covalent Query Token (CQT), Dai (DAI), Frax (FRAX), Hummingbird Governance Token (HBOT), IAGON (IAG), and USD Coin (USDC).
Although the Nomad team is yet to give an official update on the incident, the project is reportedly working with law enforcement to address the situation.
Meanwhile, in June, Harmony Protocol lost $100 million in a bridge exploit. Although the project could not recover the stolen funds, reports claimed that the infamous North Korean hacking group Lazarus perpetrated the attack.
~ By William A. Frederick ~
