Nomad – a bridge network allowing users to convert their assets across blockchains – was “exploited for over $156.4 million on August 1st.”
Over 40 attackers utilized a code error that “allowed them to spoof transactions – draining Nomad’s Ethereum contract of most of its funds.” The exploit is “the sixth major incident to target a bridge in 2022, and it is the eighth largest crypto theft of all time.”
The attack was “made possible by a recent change in Nomad’s smart contract that made it possible for users to ‘spoof’ transactions – thereby falsely claiming ownership of collateral within the bridge.”
The initial exploiter “utilized the vulnerability to bridge 0.1 Wrapped Bitcoin (WBTC) through the Moonbeam blockchain – ending up with 100 WBTC ($2.3 million) on Ethereum.”
Since the spoof transaction was easily replicable given its broadcast on block explorers, several copycat exploiters “initiated the same or similar transaction to exploit the same vulnerability.”
Security researcher Samczsun posted a breakdown of the exploit on Twitter and called the incident “chaotic” – “pointing to the lack of coding proficiency required to initiate it.”
“All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it,” Samczsun noted via social media.
Elliptic has “identified over 40 exploiters and more than 200 malicious contracts deployed to automate the exploit.”
The most prolific exploiter “was aided with 202 self-deployed malicious contracts and gained just under $42 million.”
Wallets used to initiate previous DeFi thefts – “including the January 2021 exploit of SushiSwap and the May 2021 exploit of RARI Capital – are also among those involved in this exploit.”
The exploiters “gradually drained the Nomad Ethereum contract of WETH, WBTC and stablecoins DAI, Tether and USDC.” Other lower value ERC-20 tokens “were also stolen.” As many Nomad users also “withdrew their funds, the contract was left with just $15,000 in cryptoassets at midday August 2nd.”
An ETH address with the domain nomadexploit.eth has been “set up and has signed transactions to various exploiters with variants of the following on-chain message.” At least six exploiters “have since confirmed their intention to return the funds as a white hat.”
There is “no verification yet as to whether the address is affiliated with Nomad, which also issued a warning against victims interacting with any other entity apart from official Nomad channels.”
Nomad is “the sixth major bridge – alongside the major exploits of Wormhole, Ronin and Horizon – to be attacked in 2022. Smaller exploits have also targeted Qubit and Meter.”
However, the attack vector “is unique to other recent bridge exploits, which were orchestrated through private key compromises (in the case of Ronin and Horizon) or code exploits that allowed the infinite minting of assets (Wormhole).”
Of these exploits, the Ronin and Horizon incidents “have been attributed to North Korean cyberhackers known as the Lazarus Group, which has netted around $650 million from these attacks.”
Across the top 10 crypto hacks of all time – of which the Nomad exploit is eighth by USD value lost – “four are now incidents relating to bridges.”
This also “includes the record-breaking $611 million PolyNetwork exploit in August 2021 – so far the largest crypto hack of all time.”
Exemplifying the risks faced by bridges, their exploits alone “now make up just under 50% ($1.6 billion) of total funds lost in the top 10 thefts.”
Bridges have long been “known to be attractive for cyberhackers.” They typically “hold large liquidity, as users wishing to convert funds across blockchains typically lock their assets within their contracts.” They also “operate on blockchains that are relatively less secure.”
The Nomad exploit is “likely to raise questions around the security of bridges once again.”
Elliptic claims it has “taken urgent action to ensure that the Nomad Bridge exploiters have been labelled and available for screening within [their] tools.”
Elliptic Lens and their transaction monitoring tool Elliptic Navigator “will be able to ensure they are not processing any funds stolen from crypto exploits.”
For more details, check here.