Token bridge Nomad drained of <$200M after latest exploit

On Monday, the Nomad cross-chain token bridge was attacked, and the attackers practically drained the protocol of all its cash. Nearly $200 million worth of cryptocurrencies were lost as a result of the hack.

Like other cross-chain bridges, Nomad enables users to transfer tokens back and forth between several blockchains. The attack on Monday is the most recent in a line of widely reported instances that have raised concerns about the safety of cross-chain bridges.

According to DeFi tracking platform DeFi Llama, almost all of the bridge’s $200 million in cryptocurrencies has been taken, leaving only $651.54 in the wallet.

Nomad then later claimed that some of the money had been taken out by “white hat pals” who did it to protect them.

So, how did this happen?

Bridges typically function by reissuing tokens in “wrapped” form on a different chain after locking them up in a smart contract on one network. The wrapped tokens lose their backing if the smart contract where they were initially deposited is compromised. This is what happened in Nomad’s case, making them worthless.

A researcher at the cryptocurrency investment company Paradigm, @samczsun, explained on Twitter that a recent change to one of Nomad’s smart contracts made it simple for users to counterfeit transactions. The Nomad bridge may thus be used by users to withdraw money that did not genuinely belong to them.

The Nomad attack was free for all, unlike some bridge attacks where a single perpetrator is responsible for the entire vulnerability.

11/ This is why the hack was so chaotic – you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it

— samczsun (@samczsun) August 2, 2022

The incident saw WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax (FRAX), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (DAI), GeroWallet (GERO), Card Starter (CARDS), Saddle DAO (SDL), and Charli3 (C3) tokens being drained out from the bridge.

Beware of Impersonators!

After learning about the issue, Nomad informed its users about it. Additionally, the business warned users to watch out for imposters. Nomad tweeted,

“We’re aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds. We aren’t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad’s official channel.”

The MoonBeam network has essentially been put on hold while the team investigates. As a result, interactions between smart contracts and normal transactions using MoonBeam will no longer be possible.

At least one person has publicly stated their intention to pose as a white hat hacker who will restore the money taken from the bridge so far. In fact, Nomad was contacted by one user who tweeted,

“It’s a white hack, I guess. I’m going to give the money back.”

More and more bridge attacks

Bridge attacks have increased in frequency in recent months as cryptocurrency users have shown a greater desire to transfer funds between various blockchains.

While cross-chain bridges have enabled the spread of fledgling blockchains, bridge failures can be disastrous for smaller chains that depend on them for a significant portion of their overall liquidity.

One of Nomad’s more recent blockchains, Evmos, tweeted reacted to the incident too. It claimed that the Nomad episode “seriously damages initial Evmos [total value locked],” and it would be “brainstorming community solutions.”