Nomad Token Bridge Raided for $190M in ‘Frenzied Free-For-All’
- The Nomad incident is the third-biggest cryptocurrency hack of the year, behind Wormhole and Ronin
- Around 41 addresses siphoned cryptocurrency from the protocol
Token bridge Nomad has suffered a “frenzied free-for-all” after attackers raided the protocol for more than $190 million in cryptocurrency.
Nomad, which marketed itself as a “security-first” platform for sending ERC-20 tokens between compatible blockchains, confirmed the raid in a Tuesday morning tweet.
The incident differs from other large-scale hacks to cripple token bridges this year. Token bridges enable crypto users to port digital assets over networks by first locking them inside a smart contract.
The bridge then issues a derivative token, a “wrapped asset,” on the other side, with their values backed by their original deposits. Nomad supports Ethereum, Avalanche, Evmos and Moonbeam.
February’s Wormhole hack saw attackers exploit buggy smart contract code to mint themselves $320 million in Wrapped Ether without posting the required collateral.
The Axie Infinite Ronin bridge attack, disclosed in March, involved a months-long phishing campaign to acquire private keys associated with its multisig wallet, which resulted in some $625 million in crypto stolen (both incidents valued at the time of the attack).
But Sam Sun, head of security at digital asset investment firm Paradigm, explained in a Twitter thread that Nomad’s thieves didn’t need to know anything about the Ethereum programming language Solidity to make off with user collateral.
Rari Capital hacker returned to raid Nomad
Nomad’s developers had accidentally pushed a routine upgrade which told the protocol to process any transaction with the default root hash of “0x00,” where usually blockchain networks require a unique and specific root as proof that the transaction is valid.
This meant Nomad would effectively approve any transaction submitted to the protocol. After an attacker realized and initiated large illicit transfers, other users simply copy-pasted their transaction script and replaced the receiver address with their own, explained Victor Young, chief architect at interoperability network Analog.
To Young, a key advantage of smart contract platforms, like the ones powering Nomad, is that they are Turing-complete systems. They can compute “virtually everything a modern digital computer can do from a mathematical standpoint,” Young said.
“Unfortunately, this introduces countless and unknown attack vectors that open the smart contract to hacks,” Young told Blockworks. “When you combine this with lax developers that fail to implement a robust set of testing mechanisms, you get the ridiculous meltdown that we are currently witnessing.”