Nomad Cross-Chain Bridge Lost Nearly $200 Million in ‘Chaotic, Free For All’ Exploit

Nomad allows users to send and get cryptocurrencies between different blockchains.

By Radhika Parashar | Updated: 2 August 2022 11:29 IST

Nomad Cross-Chain Bridge Lost Nearly $200 Million in ‘Chaotic, Free For All’ Exploit

Photo Credit: Website/ Nomad

Repeated attacks on on-chain bridges have put their security under question

Highlights

Nomad team yet to disclose its response around this attack
Nomad team has acknowledged the attack
The exploit happened on August 1

Nomad, a cross-chain bridge lost $200 million (roughly Rs. 1,570 crore) in what security researchers are calling a ‘free for all' exploit. Unlike conventional attacks, where one culprit is responsible for the exploit, Nomad's case was different. Sam Sun, a Paradigm researcher has explained that a recent update to a Nomad smart contract made it convenient for users to spoof transactions and withdraw funds from the bridge, which originally did not belong to them. As per Sun, this is one of the most chaotic exploits to have happened in the Web3 sector so far.

Nomad allows users to send and receive cryptocurrencies between different blockchains. Cross chain bridges like Nomad, typically lock tokens in a smart contract on one chain and reissue these tokens in ‘wrapped' form on another chain.

In Nomad's case, a smart contract where tokens were initially deposited was sabotaged making way for exploiters to act.

Imran Khan’s Instagram Account Hacked, Linked to Fake Elon Musk Account

“This is why the hack was so chaotic — you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it,” Sun wrote as part of his Twitter thread, decoding the dynamics of the exploit on Nomad.

12/ tl;dr a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all
— samczsun (@samczsun) August 2, 2022

While the cross-chain bridge has not issued media statements on the incident, it has posted a tweet acknowledging that it is aware of the case.

We're aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds. We aren't yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad's official channel: @nomadxyz_
— Nomad (⤭⛓🏛) (@nomadxyz_) August 2, 2022

We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022

Nomad's detailed response on the incident remains awaited.

Bridges have become a popular element of the cryptosphere now that more people have begun swapping assets between different blockchains.

These blockchain bridges have caught the attention of hackers, who are constantly looking at ways to exploit them.

In March, a hack attack on Axie Infinity's Ronin bridge depleted a whopping $625 million (roughly Rs. 4,729 crore) from the Sky Mavis gaming company. The Ronin Network, designed by Axie Infinity developer Sky Mavis, acts as a bridge between the video game and the blockchain, allowing cryptocurrencies to be transferred in and out of the game.

India Not Among World’s Crypto-Ready Countries, Hong Kong Tops List

Back in February, the Wormhole Portal, that allows people to switch from one cryptocurrency to another, also suffered a breach and lost $322 million (roughly Rs. 2,410 crore) worth of Ether.

Why is Oppo making strange choices with its flagship Reno series? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Cryptocurrency, Nomad, Hack, Wormhole, Ronin

Radhika Parashar

Email Radhika

Radhika Parashar is a senior correspondent for Gadgets 360. She has been reporting on tech and telecom for the last three years now and will be focussing on writing about all things crypto. Besides this, she is a major sitcom nerd and often replies in Chandler Bing and Michael Scott references. For tips or queries you could reach out to her at RadhikaP@ndtv.com. More