Nomad Token Bridge Raided for $190M in ‘Frenzied Free-For-All’

Please fol­low and like us:
Pin Share

  • The Nomad inci­dent is the third-biggest cryp­tocur­ren­cy hack of the year, behind Worm­hole and Ronin
  • Around 41 address­es siphoned cryp­tocur­ren­cy from the protocol

Token bridge Nomad has suf­fered a “fren­zied free-for-all” after attack­ers raid­ed the pro­to­col for more than $190 mil­lion in cryptocurrency.

Nomad, which mar­ket­ed itself as a “secu­ri­ty-first” plat­form for send­ing ERC-20 tokens between com­pat­i­ble blockchains, con­firmed the raid in a Tues­day morn­ing tweet.

The inci­dent dif­fers from oth­er large-scale hacks to crip­ple token bridges this year. Token bridges enable cryp­to users to port dig­i­tal assets over net­works by first lock­ing them inside a smart contract. 

The bridge then issues a deriv­a­tive token, a “wrapped asset,” on the oth­er side, with their val­ues backed by their orig­i­nal deposits. Nomad sup­ports Ethereum, Avalanche, Evmos and Moonbeam.

February’s Worm­hole hack saw attack­ers exploit bug­gy smart con­tract code to mint them­selves $320 mil­lion in Wrapped Ether with­out post­ing the required collateral. 

The Axie Infi­nite Ronin bridge attack, dis­closed in March, involved a months-long phish­ing cam­paign to acquire pri­vate keys asso­ci­at­ed with its mul­ti­sig wal­let, which result­ed in some $625 mil­lion in cryp­to stolen (both inci­dents val­ued at the time of the attack).

But Sam Sun, head of secu­ri­ty at dig­i­tal asset invest­ment firm Par­a­digm, explained in a Twit­ter thread that Nomad’s thieves didn’t need to know any­thing about the Ethereum pro­gram­ming lan­guage Solid­i­ty to make off with user collateral.

Rari Capital hacker returned to raid Nomad

Nomad’s devel­op­ers had acci­den­tal­ly pushed a rou­tine upgrade which told the pro­to­col to process any trans­ac­tion with the default root hash of “0x00,” where usu­al­ly blockchain net­works require a unique and spe­cif­ic root as proof that the trans­ac­tion is valid.

This meant Nomad would effec­tive­ly approve any trans­ac­tion sub­mit­ted to the pro­to­col. After an attack­er real­ized and ini­ti­at­ed large illic­it trans­fers, oth­er users sim­ply copy-past­ed their trans­ac­tion script and replaced the receiv­er address with their own, explained Vic­tor Young, chief archi­tect at inter­op­er­abil­i­ty net­work Analog.

To Young, a key advan­tage of smart con­tract plat­forms, like the ones pow­er­ing Nomad, is that they are Tur­ing-com­plete sys­tems. They can com­pute “vir­tu­al­ly every­thing a mod­ern dig­i­tal com­put­er can do from a math­e­mat­i­cal stand­point,” Young said.

“Unfor­tu­nate­ly, this intro­duces count­less and unknown attack vec­tors that open the smart con­tract to hacks,” Young told Block­works. “When you com­bine this with lax devel­op­ers that fail to imple­ment a robust set of test­ing mech­a­nisms, you get the ridicu­lous melt­down that we are cur­rent­ly witnessing.”

Young pre­scribed oth­er blockchain plat­forms end-to-end tests and repeat­ed code audits to help mit­i­gate risk of this hap­pen­ing elsewhere.

Blockchain secu­ri­ty firm Peck­Shield report­ed around 41 address­es had raid­ed Nomad, a mix­ture of Wrapped Bit­coin and Wrapped Ether along­side sta­ble­coins DAI and USDC. 

Notably, the same address asso­ci­at­ed with the Rari Cap­i­tal hack in late-April was said to have pil­fered $3.4 mil­lion in cryp­tocur­ren­cy. Less than $12,000 remains in Nomad’s smart con­tracts, down from more than $190 mil­lion before the raid, per DeFi Lla­ma

The Nomad inci­dent is now the third-biggest hack of the year, behind Worm­hole and Ronin. It’s unclear what’s next for the firm. 

Both Worm­hole and the Axie Infi­nite teams raised ven­ture cap­i­tal in a bid to make both their users and pro­to­cols whole fol­low­ing their respec­tive hacks. Block­works has reached out to Nomad to learn more about their plans.


Get the day’s top cryp­to news and insights deliv­ered to your inbox every evening. Sub­scribe to Block­works’ free newslet­ter now.


  • David Canel­lis

    Block­works

    Edi­tor

    David Canel­lis is an edi­tor and jour­nal­ist based in Ams­ter­dam who has cov­ered the cryp­to indus­try full time since 2018. He’s heav­i­ly focused on data-dri­ven report­ing to iden­ti­fy and map trends with­in the ecosys­tem, from bit­coin to DeFi, cryp­to stocks to NFTs and beyond. Con­tact David via email at [email pro­tect­ed]



Source link

Please fol­low and like us:
Pin Share

Leave a Reply

Your email address will not be published. Required fields are marked *