IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Nomad crypto bridge drained of $190 million through “chaotic” exploit

The Nomad team has notified law enforcement and retained leading firms for blockchain intelligence and forensics, it said in a statement on Twitter

The cross-chain token bridge Nomad was hit with an exploit yesterday causing attackers to drain it of nearly $200 million.

Nomad is a cross-chain bridge which allows users to send and receive tokens between different blockchains, and one that prides itself on security.

Paradigm researcher samczsun called it one of the most chaotic hacks that Web3 has ever seen. The researcher found that during a routine upgrade, the Nomad team initialised the trusted root to be 0x00, which is needed for authentication.

“To be clear, using zero values as initialisation values is a common practice. Unfortunately, in this case, it had a tiny side effect of auto-proving every message,” samczsun said on Twitter. “This is why the hack was so chaotic - you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it.”

In summary, a routing upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad, added the researcher. This allowed attackers to abuse this to copy and paste transactions, which quickly drained the bridge in a frenzied free-for-all.

“We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them,” the Nomad team said on Twitter.

Nomad revealed that it’s working around the clock to address the situation and has notified law enforcement and retained leading firms for blockchain intelligence and forensics. Its goal is to identify the accounts involved and to trace and recover the funds.

The company also thanked its many white hat friends who acted proactively and are safeguarding funds. It instructed them to continue to hold them until it provides further instructions on a Twitter thread.

This isn’t the only major hack to have hit the crypto world this year, as the Ronin blockchain was hacked in March, with around $600 million worth of cryptocurrency stolen. Ronin is the blockchain that powers Axie Infinity, an NFT game, with hackers managing to obtain private keys to it and carrying out fake withdrawals.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022