Nomad crypto bridge drained of $190 million through “chaotic” exploit

Blocks organised in several lines to represent blockchain technology

(Image credit: Shutterstock)

The cross-chain token bridge Nomad was hit with an exploit yesterday causing attackers to drain it of nearly $200 million.

Nomad is a cross-chain bridge which allows users to send and receive tokens between different blockchains, and one that prides itself on security.

Web3 projects lose over $2 billion to hacks and exploits in 2022 Google Cloud confirms it is building a dedicated team to support Web3 developers Microsoft releases analysis of Web3 'ice phishing' attack

Paradigm researcher samczsun called it one of the most chaotic hacks that Web3 has ever seen. The researcher found that during a routine upgrade, the Nomad team initialised the trusted root to be 0x00, which is needed for authentication.

“To be clear, using zero values as initialisation values is a common practice. Unfortunately, in this case, it had a tiny side effect of auto-proving every message,” samczsun said on Twitter. “This is why the hack was so chaotic - you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it.”

In summary, a routing upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad, added the researcher. This allowed attackers to abuse this to copy and paste transactions, which quickly drained the bridge in a frenzied free-for-all.

“We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them,” the Nomad team said on Twitter.

Nomad revealed that it’s working around the clock to address the situation and has notified law enforcement and retained leading firms for blockchain intelligence and forensics. Its goal is to identify the accounts involved and to trace and recover the funds.

The company also thanked its many white hat friends who acted proactively and are safeguarding funds. It instructed them to continue to hold them until it provides further instructions on a Twitter thread.

This isn’t the only major hack to have hit the crypto world this year, as the Ronin blockchain was hacked in March, with around $600 million worth of cryptocurrency stolen. Ronin is the blockchain that powers Axie Infinity, an NFT game, with hackers managing to obtain private keys to it and carrying out fake withdrawals.

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.