Nomad crypto bridge loses $200 million in chaotic hack

After a few quiet months, it’s happened again: another blockchain bridge hack with losses in the hundreds of millions of dollars.

Nomad, a cryptocurrency bridge that lets users swap tokens between blockchains, is the latest to be hit after a frenzied attack on Monday, which left almost $200 million of its funds drained.

The hack was acknowledged by the Nomad project’s official Twitter account on Monday, August 1st, initially as an “incident” that was being investigated. In a further statement released early Tuesday morning, Nomad said that the team was “working around the clock to address the situation” and had also notified law enforcement.

In another Twitter thread, samczsun — a researcher at the crypto and Web3 investment firm Paradigm — explained that the exploit was made possible by a misconfiguration of the project’s main smart contract that allowed anyone with a basic understanding of the code to authorize withdrawals to themselves.

“This is why the hack was so chaotic,” samczsun wrote. “[Y]ou didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”

A further post-mortem from blockchain security auditing firm CertiK noted that this dynamic created its own momentum, where people who saw funds being stolen using the above method were able to substitute their own addresses to replicate the attack. This led to what one Twitter user described as “the first decentralized crowd-looting of a 9-figure bridge in history.”

In a more optimistic take, Nassim Eddequiouaq, crypto CISO at Andreessen Horowitz, suggested the funds could be reclaimed from the “whitehats that drained preventively,” though the identities of those that obtained the funds from Nomad appear to be largely unknown.

Blockchain bridges are now routinely the targets of the most high-profile hacks in the cryptocurrency industry due to the large value of assets they often hold and the complexity (and thus potential vulnerability) of the smart contract code they run on. This year, just two hacks alone have accounted for almost a billion dollars of stolen funds: in February, the Wormhole bridge platform was hacked for $325 million after a hacker spotted an error in open-source code uploaded to GitHub and exploited it. Then, in March, a hacker stole around $625 million from the Ronin blockchain, which underlies the Axie Infinity crypto game.

“Protecting cross-chain bridges from lucrative attacks such as this are one of the most urgent problems facing the Web3 community,” said Professor Ronghui Gu, CEO and co-founder of CertiK. “Their security posture needs to be iron clad and is where many of the new developments in Web3 security will be most needed.”

Related Posts

US federal courts were reportedly hit by another data breach

The federal courts’ document system was hit by a breach with a “startling breadth and scope” in early 2020, according to a report from Politico that cites…

Google like Amazon may let police see your video without a warrant

Arlo, Apple, Wyze, and Anker, owner of Eufy, all confirmed to CNET that they won’t give authorities access to your smart home camera’s footage unless they’re shown…

Now Microsoft Office is blocking macros by default

There’s been a bit of back and forth since the change was originally announced, but this week Microsoft started rolling out an update to Microsoft Office that…

Romanian hacker faces US trial over virus for hire service

The Department of Justice (DOJ) announced today that it had extradited dual Romanian / Latvian national Mihai Ionut Paunescu — known as “Virus” — to the US…

China linked hackers are exploiting a new vulnerability in Microsoft Office

A newly discovered vulnerability in Microsoft Office is already being exploited by hackers linked to the Chinese government, according to threat analysis research from security firm Proofpoint….

Hacker accesses a Verizon employee database and tries to ransom the data for $250,000

Verizon is dealing with an incident where a hacker captured a database containing company employee data, including the full names of workers as well as their ID…

Leave a Reply

Your email address will not be published.

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page