UPDATED 12:10 EST / AUGUST 02 2022

BLOCKCHAIN

Token bridge Nomad exploited for nearly $200M during ‘chaotic hack’

The cross-blockchain token bridge Nomad was attacked Monday and attackers were able to drain it of almost all of its funds, it was revealed today.

The attack stole about $190 million worth of cryptocurrencies from the bridge during the duration of the hack.

Nomad acts as a generalized protocol to allow users to send and receive cryptocurrency tokens between different blockchains. The attack comes as part of an ongoing trend where hackers have targeted these “bridges” with exploits and drained them of their funds.

Bridges operate by “wrapping” tokens on one network after freezing them on another through the use of smart contracts. By freezing them on the genesis blockchain, the bridge allows the value of the token to be transferred from one blockchain to another so that the same token is not duplicated between the two chains.

A routine upgrade to the Nomad protocol allowed the entire event to go down, Samczsun, a researcher at Paradigm, a cryptocurrency investment company, said on Twitter. A minor error in a Solidity smart contract allowed every message sent to be auto-authorized, meaning anyone could spoof transactions on Nomad.

“A routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad,” Samczsun said. “Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all.”

Upon discovering the exploit, attackers quickly fell upon the bridge in a frenzy. Unlike other hacks where only one attacker drained a bridge in one single attack, this exploit took place over a matter of hours with multiple small transactions.

The entire episode saw Wrapped Bitcoin (WBTC), Wrapped Ether (WETH), USD Coin (USDC), Frax, Covalent Query Token (CQT), Dai, Saddle DAO (SDL) and many more different types of tokens drained from the bridge.

The attack on Nomad is the sixth in a long string of hacks against bridges in 2022. According to a June report from research firm Elliptic, over $1 billion was stolen from token bridges in the first half of 2022, including a staggering $540 million heist of the Ronin bridge in March, the network behind the popular “Axie Infinity” crypto game.

What makes bridges so vulnerable? According to Elliptic, it’s a mixture of a number of reasons including their high store of liquid tokens needed to keep the bridge running, lack of decentralization and finally the speed of innovation in crypto leaving too many services open to security issues.

This exploit hits Nomad at a time shortly after the company revealed the full list of investors from its $22 million seed funding round in April, including Coinbase Ventures, Crypto.com Capital, Polygon, OpenSea and others. The company promotes itself as a “security-first cross-chain messaging solution” with an “optimistic security model.”

In the wake of the attack, Nomad said on Twitter that it is working with law enforcement and is “retaining leading firms for blockchain intelligence and forensics.”

“Our goal is to identify the accounts involved and to trace and recover the funds,” the company said.

The company also claimed that some of the attackers taking funds from the bridge were “white hat friends” who were acting proactively to “safeguard funds” and asked that they continue to hold them until the company could provide instructions on how to return them safely.

Photo: Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU