The burning bridge
Web3 won’t be the same after the mass Nomad bridge exploit. Unlike previous exploits, this one was not perpetrated by a group of attackers. It was a mass robbery. First, one attacker struck, and hundreds of different accounts used his trick to steal funds. The bridge had $1,000 of the $190,740,000 left in just a few hours. Unknown people took out almost all of ETH, USDC, BTC, and other less popular tokens. Blockchain security firm Peckshield pointed out that more than 41 addresses drained $152M — or 80% of the stolen funds.
Now there is a significant message on the Nomad bridge site asking a white hat hackerThis is a person who uses their skills to identify security vulnerabilities in hardware, software, or networks. and his friends to return the money: “Please return ETH or ERC-20 tokens to this wallet address: 0x94A84433101A10aEda762968f6995c574D1bF154.”
The attack came days after Nomad reported that prominent crypto investors like Coinbase Ventures, OpenSea, Polygon, and Crypto.com Capital, participated in an April $22M seed round. The company was then valued at $225M (how ironic!).
🚨Explaining the Nomad bridge hack 🚨
All credit to @samczsun for doing the heavy lifting of diagnosing the precise vulnerability in his postmortem
How did we get the first decentralized crowd-looting of a 9-figure bridge in history? pic.twitter.com/v5u6mrKQv1
— foobar (@0xfoobar) August 2, 2022
What is the Nomad bridge?
It is a cross-chain bridge between Ethereum, Moonbeam, Avalanche, Evmos, and Milkomeda. A blockchain bridge is a protocol that connects blockchains to communicate. For example, you can transfer your bitcoin to WBTC on the Ethereum (ETH) network.
How to beat the Nomad?
The attacker used a wrong initialization of a critical parameter in the smart contracts simply a program stored on a blockchain that runs when predetermined conditions are met., which allowed him to bypass security checks and drain tokens from the bridge. The user must go through an approval process on the chain to verify that the asset transfer request from the bridge is valid. The approval process verifies that the message has valid Merkle proof and has been approved by the privileged user (or management). That is, when a user transferred funds from one blockchain to another, the Nomad could not check the transaction amount, which allowed the user to withdraw extra funds. And this turned into the grand theft crypto and the 5th largest DeFi hack of all time, according to blockchain audit company Zellic.
The smart contract was initialized to approve any message with an unknown hashHashing is simply passing some data through a formula that produces a result.. And so, the attacker created an altered message that sent millions of dollars in crypto moss assets to their wallets. For example, you can send 1 ETH and manually invoke a smart contract on another blockchain and end up with 100 ETH.
1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
What is impressive: other users only had to copy the hacker’s transaction data, replace the original address with a personal one, and that’s it – the money was rolling in! Not everyone turned out to be so bad. Some used the data they received in a way that others failed to do — to give the money back to Nomad later. For example, leadingscientist.eth.
A Reddit user under the nickname Saoibh pointed out an interesting thing. According to him, the flaw was previously detected by an external audit. But the Nomad team assured us that hacking through this bug (№19) would never happen. And didn’t fix it.
Nomad is not the only bridge that got hacked
- 29 January — Qubit bridge hacked for 15.7K ETH, 767 BTC, and $9.5M stablecoins
- 2 February — Wormhole bridge hacked for 93K ETH
- 23 March — Ronin bridge hacked for 174K ETH and 25.5M USDC
- 24 June — Horizon bridge hacked for 86K ETH