After a few quiet months, it’s that time again: another blockchain bridge hack with losses in the hundreds of millions of dollars.
Nomad, a cryptocurrency bridge that allows users to exchange tokens between blockchains, is the latest to be hit after a frenzied attack on Monday that drained nearly $200 million of its funds.
The hack was: recognized by the Nomad Project’s official Twitter account on Monday, August 1, initially as an “incident” under investigation. In a further statement released early Tuesday morning, Nomad said the team was “working around the clock to address the situation” and had also informed law enforcement.
Update: We are working around the clock to address the situation and have notified law enforcement and retained leading companies for blockchain intelligence and forensics. Our goal is to identify the affected accounts and track and recover the funds.
— Nomad (⤭⛓ ) (@nomadxyz_) August 2, 2022
In another Twitter thread, samczsun – a researcher at the crypto and Web3 investment firm Paradigm – explained that the exploit was made possible by a misconfiguration of the project’s main smart contract, leaving anyone with a basic understanding of the code recordings. could authorize for himself.
“This is why the hack was so chaotic,” samczsun wrote. “[Y]you didn’t need to know anything about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace/replace the other person’s address with yours and then rebroadcast it.”
A further post-mortem from blockchain security auditing firm CertiK noted that this dynamic created its own momentum, with people who saw money stolen using the above method being able to substitute their own addresses to replicate the attack. This led to what a Twitter user described as “the first decentralized crowd-looting of a 9-figure bridge in history.”
In a more optimistic view, Nassim Eddequiouaq, crypto CISO at Andreessen Horowitz, suggested that the money could be recovered from the “whitehats who preemptively deflated”, although the identities of those who obtained the money from Nomad appear to be largely unknown.
‘s security team @a16z Crypto has investigated and found the cause of the @nomadxyz_ hack bridge. There is nothing to do at this point other than get money back from whitehats who have preemptively deflated.
We work with ecosystem members to prevent such problems in the future. https://t.co/UpIagMJctQ
— Nass – nassyweazy.eth (@nassyweazy) August 2, 2022
Blockchain bridges are now routinely targeted by the cryptocurrency industry’s most high-profile hacks due to the high value of assets they often contain and the complexity (and thus potential vulnerability) of the smart contract code they run on. This year alone, there were two hacks worth nearly a billion dollars in stolen money: in February, the Wormhole bridge platform was hacked for $325 million after a hacker discovered a flaw in open source code uploaded to GitHub and published it. exploited. Then, in March, a hacker stole about $625 million from the Ronin blockchain, which underlies the Axie Infinity crypto game.
“Protecting cross-chain bridges from lucrative attacks like this one is one of the most pressing issues facing the Web3 community,” said Professor Ronghuio Gu, CEO and co-founder of CertiK. “Their security posture needs to be rock solid and that’s where many of the new developments in Web3 security will be needed the most.”