On Monday, an attack was made on the Nomad cross-chain token bridge, and the attackers took almost all of the cash from the protocol. Due to the hack, nearly $200 million worth of cryptocurrency was lost.
Crypto traders routinely use many alternative blockchains, such as Ethereum, Avalanche, and Solana, indistinguishable from the uninitiated. TokTransferring tokens between blockchains, like Ethereum and Solana, can be quite complicated. Cross-chain bridges have been designed to meet this requirement. One blockchain stores your cryptocurrency in a smart contract; the next, a separate blockchain receives your tokens via a “bridge”.
In a so-called “decentralized robbery,” a flaw in Nomad’s coding allowed users to copy and paste a script to steal the money they didn’t own.
People have been concerned about the safety of cross-chain bridges for a long time following a number of well-known events.
The Nomad team told in a report by CoinDesk about the bug in a message. The team has hired the best organizations for blockchain intelligence and forensics, and the investigation is still going on. “We’ve told the police, and we’re working nonstop to solve the problem and get information to you as soon as possible.” Our goals are to find the accounts involved, get the money back, and find out where the money went.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022
Tokens must be locked up in a smart contract on one chain and then reissued on another chain in a “wrapped” form for bridges to work.
If the smart contract where the wrapped tokens were first deposited is hacked, as happened in Nomad’s case, the tokens lose their backing and become worthless.
A researcher at the cryptocurrency investment company Paradigm said on Twitter that a recent change to one of Nomad’s smart contracts made it easy for users to fake transactions. Users could then use the Nomad bridge to get the money that didn’t really belong to them.
1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
The Nomad attack was a free-for-all, which is different from some bridge attacks where only one person is to blame for the whole weakness.
According to the researcher, you had to find a successful transaction, find/replace the other party’s address with your own, and then send it out again.
Bridge attacks have become more common in the past few months as cryptocurrency users have become more interested in moving money between blockchains.
Even though cross-chain bridges have made it possible for new blockchains to pop up, bridge failures can be disastrous for smaller chains that rely on them for a big chunk of their total liquidity.