Thanks to a loophole, unknown persons were able to tap the crypto deposits of the blockchain bridge Nomad. The easily exploitable error probably also invited free riders.
The blockchain service Nomad was relieved of cryptocurrencies worth 190 million US dollars on Monday. The reason was apparently a programming error. Nomad is a so-called bridge, a smart contract that can be used to transfer crypto assets from one blockchain to another chain. A bug in a verification function in the bridge’s smart contract arguably made it relatively easy to siphon off the cryptocurrency deposits.
With a bridge, you pay in a coin such as ether on the one hand and receive an equivalent value in tokens from the other chain on the other hand. The deposited coins are then locked into the smart contract until users return the other tokens to redeem the equivalent value. You shouldn’t be able to trigger more value than you have in those tokens unless, like in this case, you can find a way to trick the mechanic.
According to initial analyzes by security researchers, the error happened in a recent update. According to this, a value for a cryptographic proof was set as valid (0x00 for acceptableRoot), which then also suspended a check routine. Since then, transactions that weren’t were accepted as valid.
Who wants again, who hasn’t?
In order to take advantage of this, it was reportedly sufficient to take data from a transaction once assumed to be valid, replace the destination address with one of your own, and then use it to call a withdrawal in the smart contract again and again. Accordingly, there are numerous withdrawals with identical sums such as 202,440,725413 USDC.
After an initial transaction by an attacker on Monday, the vulnerability made the rounds within a short time and was then exploited by several actors. “And that’s why this hack was so messy,” a blockchain researcher from crypto investment firm Paradigm describes it in a Twitter thread, “You didn’t have to know anything about Solidity or Merkle Trees or anything like that.” Only around $17,000 remained in the bridge’s smart contract, according to figures from Defillama.
White hats saved money
As the specialist service The Block writes, citing the security company Peckshield, around 300 addresses were involved in draining the bridge. At least six of them were probably owned by white hat hackers who are also willing to pay back. They could have saved the equivalent of $8.2 million. Most of the money ended up in 41 addresses.
The Nomad operators explained that they investigated the case and called in the police and blockchain forensic firms. It would now be a matter of tracking down all the accounts involved and bringing the money back. The companies also thanked fellow white hat hackers who had protected funds with their efforts. You should initially keep the seized coins, instructions for a return would follow.
Bridges are popular targets for attacks because of the often high deposit amounts involved. In March, for example, cryptocurrencies valued at $550 million at the time were stolen from a bridge of the blockchain game Axie Infinity. In February, attackers were able to steal cryptocurrency worth $300 million at the time from the Bridge Wormhole.
