Bad code resulted in $190 million being taken from the Nomad Bridge, a cryptocurrency protocol that allows people to move crypto coins between different blockchains. In what’s called “decentralized theft,” a flaw in Nomad’s coding allowed people to steal money they didn’t have simply by copying and pasting a script.
All blockchains may be indistinguishable to the uninitiated, but crypto traders often use several, such as Ethereum, Avalanche, Solana, etc. Trading tokens between different blockchains – like taking bitcoins and using them on the Ethereum blockchain, or taking ether and using them on Solana – can actually be quite complex. To meet this demand, several companies have created “cross-chain” bridges. You deposit cryptocurrency into a smart contract on a blockchain and “link” those tokens to another blockchain.
The key point, when it comes to Monday’s exploit, is that this whole process hinges on locking the cryptocurrency into the smart contract. A single ether deposited in an Ethereum smart contract acts as collateral for the ether the user receives on, for example, the Avalanche blockchain. Nomad had over $190 million in public funds in its smart contract prior to the exploit. As of this writing, only $9,000 remains locked in the smart contract.
Unfortunately, an “upgrade” to this smart contract led to an exploit that anyone could take advantage of. Decentralized finance being what it is – anonymous and notoriously degenerate – meant that $190 million was sucked out of protocol within hours.
You need to know the Ethereum development language, Solidity, to understand the technical aspects. The bottom line is that the smart contract has broken. Some transactions that should not be approved could be pushed and replicated. It appears that suspicious transactions began around 9:13 a.m. PT when multiple wallets withdrew 100 bitcoin ($1.7 million) from the bridge. All anyone had to do from there was copy and paste the exact script used by the scammer, replacing the original exploiter’s wallet number with their own, and pass it on. Others withdrew funds in ether and USDC stablecoin, among other tokens.
“That’s why the hack was so chaotic,” said Sam Sun, a researcher for crypto investment firm Paradigm, in a tweet thread deconstructing exploit. “You didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with the yours, then repost it.”
“Easy as CTRL-C, CTRL-V,” tweeted another blockchain sleuth.
Since most people were copying and pasting information, the funds were flowing in identical installments. There have been hundreds of transactions that have seen people withdraw $202,440 in the USDC stablecoin at once, for example.
In the blockchain equivalent of “America’s Dumbest Criminals” types robbing gas stations with their tag, some people have mined their smart contract with public wallet addresses designed to be traceable. Many returned the funds. Others claimed to be acting in good faith, withdrawing funds they had pledged to protect and returning when the smart contract was secure.
“We are aware of the incident involving the Nomad Token Bridge,” Nomad said in a statement on Twitter. “We are currently investigating and will provide updates when we have them.”
Nomad was contacted for comment but did not immediately respond.