Hackers hit Nomad token bridge, $190 million gone.
Following in the footsteps of the notorious Axie Infinity’s Ronin Bridge exploit of $600 million, hackers got away with nearly $200 million from the Nomad token bridge. Hackers supposedly took advantage of security weakness and used it to systematically drain the network of $190 million over a long series of transactions. The Nomad token bridge has been left with USD 651.54 in its wallet.
DeFi Llama, a decentralized finance tracking platform, said some funds were withdrawn by white hat friends who took the funds out with the intention of safeguarding them. The initial suspicious transaction occurred at 9.32 pm UTC when a hacker managed to remove 100 WBTC worth around USD 2.3 million in tokens from the bridge. The community raised the alarm with the Nomad team confirming the incident at 11.35 pm UTC. The Nomad team saw that at least some of the hackers who took the funds acted benevolently to protect the crypto assets from falling into the wrong hands. The platform is probing the incident and will provide further details.
The Nomad bridge protocol allows users to move digital assets between different blockchains like Avalanche, Ethereum, Moonbeam, and Evmos. Some people believe a configuration error in the smart contract that Nomad uses to process messages may have been exploited to drain out millions of dollars from the platform’s liquidity pool. Sam Sun, a researcher at Paradigm, tweeted that it all started when a tweet was shared on the ETHSecurity Telegram channel. He said no one knew what was happening but a sheer volume of assets leaving the bridge was clearly a bad sign. Sun believes a during a routine upgrade, the Nomad team initialized the trusted root to be oxoo. He explained that using zero values as initialization values is a common practice but unfortunately, it had a tiny side effect in this case of auto approving every message.
Sun likened it to a frenzied free-for-all as it took little technical knowledge to take advantage of the exploit. The expert said that all a person had to do was find a transaction that worked, find and replace the other person’s address with theirs, and then re-broadcast it. Experts at Certik, a blockchain security firm, said hackers could exploit the bug by just copying and pasting transactions. They could then replace the original address with a personal one.
As such, the Nomad bridge lost millions.