Nomad token bridge is the latest victim of exploitation that saw many addresses drain almost all of the network’s funds. A group of thieves and white hat hackers made away with almost $190 million in digital assets from the bridge.
1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
Although there are no post-mortem results about the attack yet, the bridge acknowledged the attack. It also said investigations are underway as it has contracted leading blockchain and forensics firms. It has also informed law enforcement.
How the exploit happened
The Nomad exploit is different from other exploits as it was just a simple copy/paste exercise. It required no technical expertise, unlike other exploits where in-depth knowledge of programming were needed.
According to the reporter, the exploit was possible due to an error in the Bridge’s replica contract. An error during a routine upgrade allowed every message to be approved by default.
Essentially, this flaw approved small deposits in exchange for large withdrawals.
The first attack happened at 9:32 pm UTC. Not long after, several users replicated the first transaction and changed the address, draining hundreds of millions from the bridge.
All might not be lost for the bridge as some of the funds are in the possession of whitehat hackers.
The white hacker joined in the free for all looting party to preserve some of the funds from the thieves. Many of the white hackers have come forward and promised to return the funds in their possession after the team gets in touch.
Nomad, a cross-chain bridge, allows users to easily transfer cryptocurrency tokens from one blockchain to another. It also lets users bridge assets securely with the mindset that anyone watching can detect fraud as well as protect the system.
Other exploits in the cryptosphere
While the Nomad exploit is unique in a way, other major attacks have been recorded this year.
Earlier in the year, Singapore-based digital currency trading platform, Crypto.com also suffered a hack. About 483 of its customers were affected, and as much as $34.5 million was also lost.
In May, the popular Play-to-Earn Non-fungible Token (NFTs) game Axie Infinity also experienced an attack on its Discord Server. The Ronin Network in March also lost a total of $625 million to hackers. The hack was recorded as the largest Decentralized Finance (Defi) hack ever.