Hack of Crypto Payments Bridge Turns into $190M DeFi Free-for-All

The $190 million hack of Nomad, a cross-chain bridge protocol used to make transactions between different blockchains is unusual in one regard.

The theft on Monday (Aug. 1) theft wasn’t carried out by one bad actor — but apparently by hundreds who were simply able to cut and paste the transaction used in the first attack, substituting their own wallet addresses.

The size of the attack — taking the Nomad bridge’s wallet from $190.7 million to a few hundred dollars — means a reported 14,000 users have been robbed.

It is the fourth major bridge protocol hack of the year, following the $320 million Wormhole hack in February, $620 million Ronin hack in April and the $100 million Horizon hack in June. In the first two cases, the attack was an exploit in which a “black hat” hacker found a weakness in the code. The Horizon attackers apparently compromised the private key codes of several validators who secure proof-of-stake blockchains by guaranteeing that transactions are valid.

Read more: The $100M Hack and Crypto’s Cross-Chain Payments Problem

Bridge protocols facilitate cross-chain payments and transactions by letting people deposit one token (often Ethereum’s ether or stablecoins) and withdraw a “wrapped” — temporary — version of the second chain’s native token that can be used on the new one. When the wrapped tokens are replaced and a fee is paid, users can unlock the crypto they deposited.

Exploiters generally find a way to trick the bridge into letting them withdraw tokens they did not deposit.

Too Easy

Normally, exploiting a flaw in a project’s code requires substantial expertise in both crypto programming languages — generally, Solidity, developed for Ethereum and used by many competitors — and deep technical knowledge of how blockchains, decentralized finance and bridge protocols work.

That was not the case with Nomad, according to Sam Sun, a researcher for Paradigm, a Web3 investment firm.

While the initial hacker needed that expertise, the flaw was so basic that anyone could exploit it once they knew how, he said on Twitter.

“You didn’t need to know about Solidity or Merkle Trees or anything like that,” Sun said. “All you had to do was find a transaction that worked, find/replace the other person’s [digital wallet] address with yours, and then re-broadcast it. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all.”

Blockchain security firm Certik said in an analysis of the attack that a flawed upgrade of the Nomad code allowed an attacker to “bypass the message verification process and drain the tokens from the bridge contract.”

One blockchain security researcher told TechCrunch, “It’s like using a checkbook to withdraw funds from a bank, and the bank doesn’t verify if we actually hold enough money,” in the account to cover it. “They only care that the check itself looks valid.”

Certik added that “in four hours, other hackers, bots and community members replicated the initial attack, draining it in a frenzied mob attack in what [blockchain developer and] Twitter user “@0xfoobar called, ‘…the first decentralized crowd-looting of a 9-figure bridge in history?’”

Nomad, whose Twitter account bio says that the “future of cross-chain communication is optimistic,” noted that it is “working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics. Our goal is to identify the accounts involved and to trace and recover the funds.”

While some questions have been raised about whether it really was a mob-style looting rather than one attacker pretending to be many, Nomad also noted that many “white hat” hackers have reached out saying they took funds in order to protect them from theft and asked where to return them.

In April, Nomad raised $22.4 million in a seed funding round led by major crypto venture capital firm Polychain Capital.

In its announcement, Nomad said its “cross-chain messaging protocol tackles the growing need for more secure blockchain interoperability… Unlike validator-based cross-chain bridges, Nomad does not rely on a large set of external parties and only one honest actor is required to keep the entire system safe.”

Or not.


For all PYMNTS Crypto coverage, subscribe to the daily Crypto Newsletter.