Functional aberrations in the Nomad bridge enabled hackers to siphon nearly $190 million off the cryptocurrency platform. The heist, an example of a decentralized robbery, resulted from a bad routine update and was over in just a couple of hours on Monday, August 2, 2022.
Nomad, which operates under parent company Illusory Systems, had over $190 million in its smart contracts when hackers identified a flaw that allowed them to carry out transactions without preserving crypto integrity.
Researchers first noticed a blip shortly after 9 AM ET when several accounts withdrew 100 bitcoins amounting to $1.7 million. By the time Nomad could control the situation, only about $1,000 remained in Nomad smart contracts, with the rest stolen by the hackers.
The Nomad bridge heist is atypical as its users weren’t robbed by conventional hackers, at least not at the outset. As pointed out by Paradigm crypto researcher Sam Sun, they need not know about Solidity, a language used in Ethereum and other blockchains to implement smart contracts, or Merkle Trees, a data structure used in blockchain encoding.
“All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it,†@samczun notedOpens a new window . “This is why the hack was so chaotic.â€
Nomad is one of the several cross-chain companies that offer blockchain interoperability, i.e., the ability to transfer and trade cryptocurrency tokens between multiple blockchain networks like Ethereum, Solana, Moonbeam, etc. Users need to store crypto in smart contracts, which are programs that execute when predetermined conditions are met.
“It all started when @officer_cia shared @spreekaway’s tweet in the ETHSecurity Telegram channel. Although I had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign,†Sam Sun said.
Others quickly figured out that simply copy-pasting the original hacker’s transaction call data and replacing their address with the one they owned permitted all transactions to proceed. The flaw in the Nomad bridge source code, leading to improper Merkle root initialization (0x00), ensured that all transactions were valid by default and were executed, despite being illicit.
See More: Five Cryptocurrency Crime Investigation Trends to Know in 2022Opens a new window
The significance of the flaw is that it allowed hackers to send a small amount, as little as 0.1 bitcoin, from one blockchain on Nomad and receive an arbitrary, higher amount of as much as 100 bitcoin on another blockchain.
Moreover, anyone could exploit this code flaw to steal cryptocurrency from Nomad smart contracts. The hackers then deployed bots to replicate more attacks to make the most of the fatal flaw. In essence, Nomad smart contracts became ATMs that handed out cash without the need to enter a PIN.
The Moonbeam Network went into maintenance to determine the cause and concluded that the incident was not unrelated to its network. Nomad, which recently raised $22 million in its seed round, acknowledged the issue and notified law enforcement.
The Nomad bridge incident follows the $620 million Ronin network heistOpens a new window by the Lazarus Group and the $100 million Harmony bridge heist. However, the two heists differed from the $190 million Nomad robbery as in those incidents; hackers required access to private keys to carry out the attack, making them targeted attacks.
However, the Nomad heist is much more rudimentary. It just took a bad code upgrade in the very thing that secures it to blow it wide open. With $190 million stolen, it could be the third costliest crypto incident in 2022.
The top crypto incidents from H2 2022 are:
|
Crypto Losses |
||
| Period | Incident At |
Losses |
|
Q1 2022 |
Ronin network | $620 million |
| Q1 2022 | Wormhole |
$326 million |
|
Q2 2022 |
Beanstalk | $182 million |
| Q2 2022 | Harmony |
$100 million |
|
Q2 2022 |
Mirror Protocol | $90 million |
| Q2 2022 | Fei Protocol |
$80.34 million |
|
Q1 2022 |
Qubit | $80 million |
| Q1 2022 | Cashio |
$50 million |
|
Q1 2022 |
IRA Financial | $36 million |
| Q2 2022 | Fantom Scream |
$35 million |
The use of crypto bridges has increased in recent years owing to their interoperability and the scalability they provide for blockchain transactions. However, they are proving to be a hacker favorite.
Blockchain analytics company Elliptic attributed $1 billion in crypto losses to heists from crypto bridges. Overall, total crypto losses, including those from crypto bridges, climbed 1.6x year-over-year to $1.3 billion in Q1 2022. In Q2 2022, crypto losses surged 1.5x YoY to $670 million, according to Immunefi.
The Solana blockchain is currently under attack from an unknown threat actor. So far, 7,767 hot accounts (the ones always connected to the internet) on the Solana network have been emptied with losses amounting to $8 million.
“The evidence we have at hand now points to stolen private keys as the culprit for the attacks on Solana users who use specific wallet apps,†opined Paul Bischoff, privacy advocate at Comparitech.
“The passwords could have been stolen from a database, a supply chain attack that infected some wallet apps, or by phishing users for individual passwords. Given the number of wallets affected, one of the former two seems more likely. Solana users should move their funds to cold wallets to prevent theft until the attacks are stopped.â€
Solana’s value fell approximately 6% to $38.02 in the last 24 hours but later recovered. The SOL token currently sits just 1% below its 24-hour value.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
MORE ON CRYPTO, BLOCKCHAIN SECURITY
- HubSpot Data Breach Compromises Data of Top Cryptocurrency Investment PlatformsOpens a new window
- Denonia: The First Crypto]-Mining Malware That Targets AWS LambdaOpens a new window
- Top Five Blockchain Attacks & DLT Vulnerabilities to Know in 2022Opens a new window
- Why Distributed Ledger Technology Is the Next Battleground for HackersOpens a new window