A smart contract bug let a large number of attackers drain the project’s funds
After a few quiet months, it’s happened again: another blockchain bridge hack with losses in the hundreds of millions of dollars.
Nomad, a cryptocurrency bridge that lets users swap tokens between blockchains, is the latest to be hit after a frenzied attack on Monday, which left almost $200 million of its funds drained.
The hack was acknowledged by the Nomad project’s official Twitter account on Monday, August 1st, initially as an “incident” that was being investigated. In a further statement released early Tuesday morning, Nomad said that the team was “working around the clock to address the situation” and had also notified law enforcement.
Update: We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics. Our goal is to identify the accounts involved and to trace and recover the funds.
— Nomad (⤭⛓ ) (@nomadxyz_) August 2, 2022
In another Twitter thread, samczsun — a researcher at the crypto and Web3 investment firm Paradigm — explained that the exploit was made possible by a misconfiguration of the project’s main smart contract that allowed anyone with a basic understanding of the code to authorize withdrawals to themselves.
“This is why the hack was so chaotic,” samczsun wrote. “[Y]ou didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”
A further post-mortem from blockchain security auditing firm CertiK noted that this dynamic created its own momentum, where people who saw funds being stolen using the above method were able to substitute their own addresses to replicate the attack. This led to what one Twitter user described as “the first decentralized crowd-looting of a 9-figure bridge in history.”
In a more optimistic take, Nassim Eddequiouaq, crypto CISO at Andreessen Horowitz, suggested the funds could be reclaimed from the “whitehats that drained preventively,” though the identities of those that obtained the funds from Nomad appear to be largely unknown.
The Security team at @a16z Crypto has investigated and found the root cause of the @nomadxyz_ bridge hack. Nothing to be done at this time except getting funds back from whitehats that drained preventively.
We’ll work with ecosystem members to prevent such issues in the future. https://t.co/UpIagMJctQ
— Nass – nassyweazy.eth (@nassyweazy) August 2, 2022
Blockchain bridges are now routinely the targets of the most high-profile hacks in the cryptocurrency industry due to the large value of assets they often hold and the complexity (and thus potential vulnerability) of the smart contract code they run on. This year, just two hacks alone have accounted for almost a billion dollars of stolen funds: in February, the Wormhole bridge platform was hacked for $325 million after a hacker spotted an error in open-source code uploaded to GitHub and exploited it. Then, in March, a hacker stole around $625 million from the Ronin blockchain, which underlies the Axie Infinity crypto game.
“Protecting cross-chain bridges from lucrative attacks such as this are one of the most urgent problems facing the Web3 community,” said Professor Ronghuio Gu, CEO and co-founder of CertiK. “Their security posture needs to be iron clad and is where many of the new developments in Web3 security will be most needed.”