In one of the most extensive hacks since Axie Infinity's Ronin Bridge Sidechain in March, an exploit on the Nomad token bridge has allowed attackers to rob the bridge of roughly $190 million.
Security firm PeckShield told Decrypt that the funds stolen were denominated in Ethereum, USDC, DAI, FXS, and CQT.
"We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them," Nomad tweeted Monday afternoon.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
The Nomad bridge is a protocol allowing users to move digital assets between different blockchains, including Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Milkomeda C1, and Moonbeam (GLMR).
Nomad TVL plummeted as funds were lifted from the protocol. Image: DeFi Llama.
While details from Nomad are scarce, some have pointed to a configuration error in a smart contract that Nomad uses to process messages as the cause, allowing millions to be drained from Nomad's liquidity pool.
"It all started when @officer_cia shared @spreekaway's tweet in the ETHSecurity Telegram channel," Sam Sun, a researcher at crypto investment firm Paradigm, tweeted. "Although I had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign."
2/ It all started when @officer_cia shared @spreekaway's tweet in the ETHSecurity Telegram channel. Although I had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign pic.twitter.com/klHNfthVvj
"It turns out that during a routine upgrade," Sun continued. "The Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case it had a tiny side effect of auto-proving every message."
Nomad bridge attack ‘a frenzied free-for-all’
Sun likened what happened next to “a frenzied free-for-all” because it took little technical knowledge to leverage the exploit.
“You didn't need to know about Solidity or Merkle Trees or anything like that,” Sun wrote. “All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it.”
Similarly, blockchain security firm Certik reported that attackers could exploit the bug by simply copying and pasting transactions. The firm added that people could exploit the upgrade “by copying the original hacker's transaction calldata and replacing the original address with a personal one.”
🚨Explaining the Nomad bridge hack 🚨
All credit to @samczsun for doing the heavy lifting of diagnosing the precise vulnerability in his postmortem
How did we get the first decentralized crowd-looting of a 9-figure bridge in history? pic.twitter.com/v5u6mrKQv1
In this way, the bridge was drained of nearly all of its funds.
"Nomad's bridge got owned in a similar manner to Qubit's QBridge," tweeted a16z security engineer Matt Gleason. "An insecure configuration of the bridge caused a specific path to allow any transaction sent. The error is inside the Replica's ‘process’ function."
1/ Nomad’s bridge got owned in a similar manner to Qubit’s QBridge. An insecure configuration of the bridge caused a specific path to allow any transaction sent. The error is inside the Replica’s “process” function.
"The system will accept any message that it has never seen before and process it as if it were genuine, meaning that all you need to do is ask for all the bridge's money and you'll get it," he added.
According to the FTC, cyberattacks against crypto projects appear to show no sign of slowing down, with over $1 billion in crypto stolen since 2021.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
Two top Wall Street analysts are confident many top altcoins ETFs will imminently be approved for trading—so confident, they’ve now estimated the likelihood of such spot approvals coming before the end of the year at almost 100%.
Solana, XRP, and Litecoin spot ETFs are near-locks at 95% odds of approval from the U.S. Securities and Exchange Commission by the end of 2025, the analysts, Eric Balchunas and James Seyffart of Bloomberg, wrote Friday.
Dogecoin, Cardano, Polkadot, Hedera, and Avalan...
Bitcoin holding company Nakamoto Holdings, the firm founded by crypto media entrepreneur David Bailey, has raked in an additional $51.5 million to establish a Bitcoin treasury—a corporate strategy that has become increasingly popular among public companies.
The funds were raised in a private-investment-in-public-equity deal closed on Friday by Nakamoto's merger partner KindlyMD, according to KindlyMD's statement. The healthcare data firm sold its common stock at $5 per share in the raise.
"Ad...
The tokenization industry has gained momentum at breakneck speed.
New use cases are continually emerging, with Boston Consulting Group projecting that the total size of this nascent sector could reach $16 trillion by 2030.
Others believe it might take a little extra time. McKinsey recently forecast that the market capitalization of tokenized assets will hit $2 trillion by the end of the decade—and potentially $4 trillion in a bullish scenario. That would eclipse the current value of all cryptocu...
