Nomad crypto bridge loses $200 million in ‘chaotic’ hack

Illustration by Alex Castro / The Verge

Another bridge hack with losses in the hundreds of millions of dollars occurred after a few quiet months.

After a frenzied attack on Monday, almost $200 million of its funds were drained.

The hack was acknowledged on Monday, August 1st, as an "incident" that was being investigated. The team was working around the clock to address the situation and had notified law enforcement, according to a statement released early Tuesday morning.

Update: We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics. Our goal is to identify the accounts involved and to trace and recover the funds.



1/2

— Nomad (⤭⛓ ) (@nomadxyz_) August 2, 2022

The exploit was made possible by a misconfiguration of the project's smart contract that allowed anyone with a basic understanding of the code to authorize withdrawals to themselves.

The hack was so disorganized because of this. They didn't need to know about Solidity or any of the other things. You just had to find a transaction that worked and replace the other person's address with yours.

CertiK found that people who saw funds being stolen using the above method were able to substitute their own addresses to recreate the attack. The first crowd-looting of a 9-figure bridge in history took place because of this.

According to Nassim Eddequiouaq, the funds could be reclaimed from the whitehats that drained preventively, though the identities of those that obtained the funds from Nomad are not known.

The Security team at @a16z Crypto has investigated and found the root cause of the @nomadxyz_ bridge hack. Nothing to be done at this time except getting funds back from whitehats that drained preventively.



We'll work with ecosystem members to prevent such issues in the future. https://t.co/UpIagMJctQ

— Nass - nassyweazy.eth (@nassyweazy) August 2, 2022

Due to the large value of assets they often hold and the complexity of the smart contract code they run on, the most high-profile hacks in the criptocurrency industry target theBlockchain bridges. The Wormhole bridge platform was hacked for $325 million in February after a hacker spotted an error in open-source code uploaded to GitHub. A hacker stole around $625 million from the Ronin blockchain in March, which is the underlying game of AxieInfinity.

One of the most urgent problems facing the Web3 community is protecting cross-chains from lucrative attacks. Many of the new developments in Web3 security will be most needed if the security posture is iron clad.