Nomad Bridge Hack Helped ‘Mob’ Drain Millions From Crypto
As evidenced by its namesake, apparently there wasn’t much security to stop a horde of wandering strangers from breaking into the Nomad DeFi Project’s token bridge, allowing hundreds of unknown hackers and some users to walk away. with over $190 million worth of crypto, leaving behind a paltry nude in the project’s wallet.
Late Monday, users started noticing tokens being mined from Nomad’s accounts.”in $1 million increments.” Cryptographic security firm CertiK confirmed in an analysis on Tuesday that the bridge protocol, which allows users to send tokens between separate blockchains, was breached through a routine upgrade that allowed bad actors ignore verification messages. Corner Telegraph reported that the first transaction, probably the initial hacker, managed to remove approximately $2.3 million in crypto from the bridge.
Apparently, this breach allowed other users to exploit the bridge, essentially turning it into a Black Friday-esque free-for-all. CertiK’s analysis further indicated that the vulnerability resided in the initialization process of the token bridge, introduced in the faulty upgrade, allowing users to copy and paste the transaction number from the original hackers and replace it with a personal number. The researchers said that in just four hours, other hackers, bots, and even community members had emptied the protocol into a “frenzied crowd.”
The crypto developer who goes by Foobar on Twitter wrote that this attack was “the first decentralized looting of a 9-digit bridge in history.” There are hundreds of addresses that show they received tokens from the bridge during the exploit.
Some users have actually reverted to the protocol, bowing their heads in shame and offering to return stolen funds. Some claimed it was “an accident”, while others said they were trying to protect their friend’s assets, according to screenshots posted by Foobar. Defiflamme shows that the current value of the blockchain sits at just under $16,000.
Others who said they drained funds claimed they were “whitehackers” trying to protect crypto and waiting to return the funds, although Gizmodo could not verify any of the claims made by these supposed white hackers, or how much funds these bona fide actors attempted to save. A Nomad representative told Cointelegraph that he was grateful to “many” white hackers who protected funds.
For his part, Nomad wrote on Twitter it was to “work around the clock to remedy the situation”. The developers said they contacted law enforcement as they worked to “identify the accounts involved and to trace and recover the funds.” This apparent software bug is not a good look as in the past the company has exalted its belief in a “safety first, cross-chain future.”
Of course, Nomad was a darling of crypto investors just a few months ago, win $22 million in a seed round led by crypto-investor Polychain Capital.
It’s not the only bridge to be hacked this year. The Ronin Bridge, used by the developers of the Axie Infinity play-to-earn game, was pirate for nearly $625 million earlier this year. Hackers could have exploited the network by contacting a developer on LinkedIn and, after several rounds of interviews, offered him a fake job posting PDF containing malware, allowing access to his computer. Despite efforts to return stolen crypto from users and restore the bridgethey haven’t fully restored old users yet confidence in their systems.