Bad code resulted in $190 million being taken from the Nomad Bridge, a cryptocurrency protocol that allows people to move crypto coins between different blockchains. In what’s called “decentralized theft,” a flaw in Nomad’s coding allowed people to steal money they didn’t have simply by copying and pasting a script.
All blockchains may be indistinguishable to the uninitiated, but crypto traders often use several, such as Ethereum, Avalanche, Solana, etc. Trading tokens between different blockchains – like taking bitcoins and using them on the Ethereum blockchain, or taking ether and using them on Solana – can actually be quite complex. To meet this demand, several companies have created “cross-chain” bridges. You deposit cryptocurrency into a smart contract on a blockchain and “link” those tokens to another blockchain.
The key point, when it comes to Monday’s exploit, is that this whole process hinges on locking the cryptocurrency into the smart contract. A single ether deposited in an Ethereum smart contract acts as collateral for the ether the user receives on, for example, the Avalanche blockchain. Nomad had over $190 million in public funds in its smart contract prior to the exploit. As of this writing, only $9,000 remains locked in the smart contract.
Unfortunately, an “upgrade” to this smart contract led to an exploit that anyone could take advantage of. Decentralized finance being what it is – anonymous and notoriously degenerate – meant that $190 million was sucked out of protocol within hours.
Messages popping up on public Discord servers of random people grabbing $3,000 to $20,000 from the Nomad Bridge – all you had to do was copy the hacker’s first transaction and change the address, then press send via Etherscan. Just like real crypto – the first decentralized theft. https://t.co/jWV9AamBer
— FatMan (@FatManTerra) August 2, 2022
The nomadic bridge is being actively hacked. WETH and WBTC are withdrawn in $1 million increments. Withdraw all funds if you can, there is still $126 million left in the contract which is likely at risk pic.twitter.com/oDo7oT1glW
– foobar (@0xfoobar) August 1, 2022
This attack on Nomad was something I had never seen before.
People started replicating the attack after a few minutes, as the initial attacker systematically emptied the pool.
At one point, random dudes with ENS names were getting a million USDC per trade. pic.twitter.com/KgBxAfLHtJ
— raz (@leadinscientist) August 1, 2022
You need to know the Ethereum development language, Solidity, to understand the technical aspects. The bottom line is that the smart contract has broken. Some transactions that should not be approved could be pushed and replicated. It appears that suspicious transactions began around 9:13 a.m. PT when multiple wallets withdrew 100 bitcoin ($1.7 million) from the bridge. All anyone had to do from there was copy and paste the exact script used by the scammer, replacing the original exploiter’s wallet number with their own, and pass it on. Others withdrew funds in ether and USDC stablecoin, among other tokens.
“That’s why the hack was so chaotic,” said Sam Sun, a researcher for crypto investment firm Paradigm, in a tweet thread deconstructing exploit. “You didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with the yours, then repost it.”
“Easy as CTRL-C, CTRL-V,” tweeted another blockchain sleuth.
Since most people were copying and pasting information, the funds were flowing in identical installments. There have been hundreds of transactions that have seen people withdraw $202,440 in the USDC stablecoin at once, for example.
In the blockchain equivalent of “America’s Dumbest Criminals” types robbing gas stations with their tag, some people have mined their smart contract with public wallet addresses designed to be traceable. Many returned the funds. Others claimed to be acting in good faith, withdrawing funds they had pledged to protect and returning when the smart contract was secure.
“We are aware of the incident involving the Nomad Token Bridge,” Nomad said in a statement on Twitter. “We are currently investigating and will provide updates when we have them.”
Nomad was contacted for comment but did not immediately respond.
CNET