IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Nomad crypto bridge drained of $190 million through “chaotic” exploit

The Nomad team has notified law enforcement and retained leading firms for blockchain intelligence and forensics, it said in a statement on Twitter

The cross-chain token bridge Nomad was hit with an exploit yesterday causing attackers to drain it of nearly $200 million.

Nomad is a cross-chain bridge which allows users to send and receive tokens between different blockchains, and one that prides itself on security.

Paradigm researcher samczsun called it one of the most chaotic hacks that Web3 has ever seen. The researcher found that during a routine upgrade, the Nomad team initialised the trusted root to be 0x00, which is needed for authentication.

“To be clear, using zero values as initialisation values is a common practice. Unfortunately, in this case, it had a tiny side effect of auto-proving every message,” samczsun said on Twitter. “This is why the hack was so chaotic - you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it.”

In summary, a routing upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad, added the researcher. This allowed attackers to abuse this to copy and paste transactions, which quickly drained the bridge in a frenzied free-for-all.

“We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them,” the Nomad team said on Twitter.

Nomad revealed that it’s working around the clock to address the situation and has notified law enforcement and retained leading firms for blockchain intelligence and forensics. Its goal is to identify the accounts involved and to trace and recover the funds.

The company also thanked its many white hat friends who acted proactively and are safeguarding funds. It instructed them to continue to hold them until it provides further instructions on a Twitter thread.

This isn’t the only major hack to have hit the crypto world this year, as the Ronin blockchain was hacked in March, with around $600 million worth of cryptocurrency stolen. Ronin is the blockchain that powers Axie Infinity, an NFT game, with hackers managing to obtain private keys to it and carrying out fake withdrawals.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Most Popular

The big PSTN switch off: What’s happening between now and 2025?
Sponsored

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Why – and how – IP can be the hero in your digital transformation success story
Sponsored

Why – and how – IP can be the hero in your digital transformation success story

6 Mar 2023
Why Amazon is cutting staff from AWS
Cloud

Why Amazon is cutting staff from AWS

21 Mar 2023