After a few quiet months, it happened again: another blockchain bridge hack with losses of hundreds of millions of dollars.
Nomad, a cryptocurrency bridge that allows users to swap tokens between blockchains, is the latest to be hit after a frenzied attack on Monday drained nearly $200 million from its funds.
The hack was recognized by the official Project Nomad Twitter account on Monday, August 1, initially as an “incident” that was under investigation. In another statement released early Tuesday morning, Nomad said the team was “working around the clock to remedy the situation” and had also notified law enforcement.
Update: We are working around the clock to remedy the situation and have notified law enforcement and retained the services of leading companies for blockchain intelligence and forensics. Our goal is to identify the affected accounts and trace and recover the funds.
— Nomad (⤭⛓ ) (@nomadxyz_) August 2, 2022
In another Twitter thread, samczsun – a researcher at crypto investment firm and Web3 Paradigm – explained that the exploit was made possible by a misconfiguration of the project’s main smart contract that allowed anyone with an understanding of base code to authorize withdrawals.
“That’s why the hack has been so chaotic,” Samczsun wrote. “[Y]You didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with your own, and then resubmit.
Another post-mortem from blockchain security audit firm CertiK noted that this dynamic created its own dynamic, where people who saw funds stolen using the above method were able to substitute their own addresses to replicate. the attack. This led to a Twitter user described as “the first decentralized plunder of a 9-digit bridge in history.”
In a more optimistic version, Nassim Eddequiouaq, CISO crypto at Andreessen Horowitz, suggested that the funds could be recovered from “white hats who ran out preemptively”, although the identity of those who obtained the funds from Nomad appears to be largely unknown.
The security team of @a16z Crypto investigated and found the root cause of the @nomadxyz_ hack the bridge. Nothing to do for the moment except to recover the funds of the whitehats which have emptied preventively.
We will work with members of the ecosystem to prevent such issues in the future. https://t.co/UpIagMJctQ
— Nass – nassyweazy.eth (@nassyweazy) August 2, 2022
Blockchain bridges are now regularly the target of the most high-profile hacks in the cryptocurrency industry due to the high value of the assets they often hold and the complexity (and therefore potential vulnerability) of the code behind them. smart contract on which they run. Just two hacks alone accounted for nearly $1 billion in stolen funds this year: In February, the Wormhole Bridge platform was hacked for $325 million after a hacker spotted an error in the open source code uploaded to GitHub and exploited it. Then, in March, a hacker stole around $625 million from the Ronin blockchain, which underpins the Axie Infinity crypto game.
“Protecting cross-chain bridges from lucrative attacks like this is one of the most pressing issues facing the Web3 community,” said Professor Ronghui Gu, CEO and co-founder of CertiK. “Their security posture needs to be rock solid and that’s where many of the new developments in Web3 security will be most needed.”