IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Nomad crypto bridge drained of $190 million through “chaotic” exploit

The Nomad team has notified law enforcement and retained leading firms for blockchain intelligence and forensics, it said in a statement on Twitter

The cross-chain token bridge Nomad was hit with an exploit yesterday causing attackers to drain it of nearly $200 million.

Nomad is a cross-chain bridge which allows users to send and receive tokens between different blockchains, and one that prides itself on security.

Paradigm researcher samczsun called it one of the most chaotic hacks that Web3 has ever seen. The researcher found that during a routine upgrade, the Nomad team initialised the trusted root to be 0x00, which is needed for authentication.

“To be clear, using zero values as initialisation values is a common practice. Unfortunately, in this case, it had a tiny side effect of auto-proving every message,” samczsun said on Twitter. “This is why the hack was so chaotic - you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it.”

In summary, a routing upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad, added the researcher. This allowed attackers to abuse this to copy and paste transactions, which quickly drained the bridge in a frenzied free-for-all.

“We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them,” the Nomad team said on Twitter.

Nomad revealed that it’s working around the clock to address the situation and has notified law enforcement and retained leading firms for blockchain intelligence and forensics. Its goal is to identify the accounts involved and to trace and recover the funds.

The company also thanked its many white hat friends who acted proactively and are safeguarding funds. It instructed them to continue to hold them until it provides further instructions on a Twitter thread.

This isn’t the only major hack to have hit the crypto world this year, as the Ronin blockchain was hacked in March, with around $600 million worth of cryptocurrency stolen. Ronin is the blockchain that powers Axie Infinity, an NFT game, with hackers managing to obtain private keys to it and carrying out fake withdrawals.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Most Popular

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs
zero-day exploit

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs

18 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022