Hack Turns into $190M DeFi Free-for-All

The $190 million hack of Nomad, a cross-chain bridge protocol used to make transactions between different blockchains is unusual in one regard.

The theft on Monday (Aug. 1) theft wasnt carried out by one bad actor but apparently by hundreds who were simply able to cut and paste the transaction used in the first attack, substituting their own wallet addresses.

The size of the attack taking the Nomad bridges wallet from $190.7 million to a few hundred dollars means a reported 14,000 users have been robbed.

It is the fourth major bridge protocol hack of the year, following the $320 million Wormhole hack in February, $620 million Ronin hack in April and the $100 million Horizon hack in June. In the first two cases, the attack was an exploit in which a black hat hacker found a weakness in the code. The Horizon attackers apparently compromised the private key codes of several validators who secure proof-of-stake blockchains by guaranteeing that transactions are valid.

Read more: The $100M Hack and Cryptos Cross-Chain Payments Problem

Bridge protocols facilitate cross-chain payments and transactions by letting people deposit one token (often Ethereums ether or stablecoins) and withdraw a wrapped temporary version of the second chains native token that can be used on the new one. When the wrapped tokens are replaced and a fee is paid, users can unlock the crypto they deposited.

Exploiters generally find a way to trick the bridge into letting them withdraw tokens they did not deposit.

Too Easy

Normally, exploiting a flaw in a projects code requires substantial expertise in both crypto programming languages generally, Solidity, developed for Ethereum and used by many competitors and deep technical knowledge of how blockchains, decentralized finance and bridge protocols work.

That was not the case with Nomad, according to Sam Sun, a researcher for Paradigm, a Web3 investment firm.

While the initial hacker needed that expertise, the flaw was so basic that anyone could exploit it once they knew how, he said on Twitter.

You didn’t need to know about Solidity or Merkle Trees or anything like that, Sun said. All you had to do was find a transaction that worked, find/replace the other person’s [digital wallet] address with yours, and then re-broadcast it. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all.

Blockchain security firm Certik said in an analysis of the attack that a flawed upgrade of the Nomad code allowed an attacker to bypass the message verification process and drain the tokens from the bridge contract.

One blockchain security researcher told TechCrunch, Its like using a checkbook to withdraw funds from a bank, and the bank doesnt verify if we actually hold enough money, in the account to cover it. They only care that the check itself looks valid.

Certik added that in four hours, other hackers, bots and community members replicated the initial attack, draining it in a frenzied mob attack in what [blockchain developer and] Twitter user @0xfoobar called, …the first decentralized crowd-looting of a 9-figure bridge in history?

Nomad, whose Twitter account bio says that the future of cross-chain communication is optimistic, noted that it is working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics. Our goal is to identify the accounts involved and to trace and recover the funds.

While some questions have been raised about whether it really was a mob-style looting rather than one attacker pretending to be many, Nomad also noted that many white hat hackers have reached out saying they took funds in order to protect them from theft and asked where to return them.

In April, Nomad raised $22.4 million in a seed funding round led by major crypto venture capital firm Polychain Capital.

In its announcement, Nomad said its cross-chain messaging protocol tackles the growing need for more secure blockchain interoperability… Unlike validator-based cross-chain bridges, Nomad does not rely on a large set of external parties and only one honest actor is required to keep the entire system safe.

Or not.


For all PYMNTS Crypto coverage, subscribe to the dailyCrypto Newsletter.



About: The findings in PYMNTS new study, The Super App Shift: How Consumers Want To Save, Shop And Spend In The Connected Economy, a collaboration with PayPal, analyzed the responses from 9,904 consumers in Australia, Germany, the U.K. and the U.S. and showed strong demand for a single multifunctional super apps rather than using dozens of individuals ones.