Nomad Token Bridge Raided for $190M in ‘Frenzied Free-For-All’

‘Security-first’ token bridge Nomad accidentally allowed anyone to submit illicit transactions; ‘hackers’ capitalized

by David Canellis /
article-image

Source: Shutterstock

share

key takeaways

  • The Nomad incident is the third-biggest cryptocurrency hack of the year, behind Wormhole and Ronin
  • Around 41 addresses siphoned cryptocurrency from the protocol

Token bridge Nomad has suffered a “frenzied free-for-all” after attackers raided the protocol for more than $190 million in cryptocurrency.

Nomad, which marketed itself as a “security-first” platform for sending ERC-20 tokens between compatible blockchains, confirmed the raid in a Tuesday morning tweet.

“Nomad identified an attack on its token bridge on August 1 at approximately 5:32 PM Eastern Time (ET),” the company said in a statement emailed to Blockworks. “An investigation is ongoing and leading firms for blockchain intelligence and forensics have been retained. Nomad has notified law enforcement and is working around the clock to address the situation and provide timely updates.”

The incident differs from other large-scale hacks to cripple token bridges this year. Token bridges enable crypto users to port digital assets over networks by first locking them inside a smart contract. 

The bridge then issues a derivative token, a “wrapped asset,” on the other side, with their values backed by their original deposits. Nomad supports Ethereum, Avalanche, Evmos and Moonbeam.

February’s Wormhole hack saw attackers exploit buggy smart contract code to mint themselves $320 million in Wrapped Ether without posting the required collateral. 

The Axie Infinite Ronin bridge attack, disclosed in March, involved a months-long phishing campaign to acquire private keys associated with its multisig wallet, which resulted in some $625 million in crypto stolen (both incidents valued at the time of the attack).

But Sam Sun, head of security at digital asset investment firm Paradigm, explained in a Twitter thread that Nomad’s thieves didn’t need to know anything about the Ethereum programming language Solidity to make off with user collateral.

Rari Capital hacker returned to raid Nomad

Nomad’s developers had accidentally pushed a routine upgrade which told the protocol to process any transaction with the default root hash of “0x00,” where usually blockchain networks require a unique and specific root as proof that the transaction is valid.

This meant Nomad would effectively approve any transaction submitted to the protocol. After an attacker realized and initiated large illicit transfers, other users simply copy-pasted their transaction script and replaced the receiver address with their own, explained Victor Young, chief architect at interoperability network Analog.

To Young, a key advantage of smart contract platforms, like the ones powering Nomad, is that they are Turing-complete systems. They can compute “virtually everything a modern digital computer can do from a mathematical standpoint,” Young said.

“Unfortunately, this introduces countless and unknown attack vectors that open the smart contract to hacks,” Young told Blockworks. “When you combine this with lax developers that fail to implement a robust set of testing mechanisms, you get the ridiculous meltdown that we are currently witnessing.”

Loading Tweet..

Young prescribed other blockchain platforms end-to-end tests and repeated code audits to help mitigate risk of this happening elsewhere.

Blockchain security firm PeckShield reported around 41 addresses had raided Nomad, a mixture of Wrapped Bitcoin and Wrapped Ether alongside stablecoins DAI and USDC. 

Notably, the same address associated with the Rari Capital hack in late-April was said to have pilfered $3.4 million in cryptocurrency. Less than $12,000 remains in Nomad’s smart contracts, down from more than $190 million before the raid, per DeFi Llama

The Nomad incident is now the third-biggest hack of the year, behind Wormhole and Ronin. It’s unclear what’s next for the firm. 

Both Wormhole and the Axie Infinite teams raised venture capital in a bid to make both their users and protocols whole following their respective hacks. The company told Blockworks that its goal is to identify the accounts involved and ultimately trace and recover crypto.

Nomad also said that “many white hat [hacker] friends” had reacted quickly to withdraw and safeguard some of the funds, and directed its community to follow its Twitter account for instructions on how to return the stolen money.

Loading Tweet..

This article was updated at 4:09 am ET, August 3, to include Nomad’s statement.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the On the Margin newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Permissionless III Hackathon

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2024

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

learn more

Permissionless III

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Permissionless is a conference for founders, application developers, and users. Come meet the next generation of people building and using crypto.

learn more

recent research

Research Report Templates (1).png

Research

Why Solana Mobile Should 100x Their Phone Production

Solana Mobile is a highly ambitious foray into the mobile consumer hardware market, seeking to open up a crypto-native distribution channel for mobile-first applications. The market for Solana Mobile devices has demonstrated a phenomenon whereby external market actors (e.g. Solana-native projects) continuously underwrite subsidies to Mobile consumers. The value of these subsidies, coming in the form of airdrops, trial programs, and exclusive NFT mints, have consistently covered the cost of the phone and generated positive returns for consumers. Given this trend in subsidies, the unit economics in the market for Mobile devices, and the initial growth rate and trajectory of sales, it should be expected that Solana mobile can clear 1M to 10M units over the coming years. As more devices circulate amongst users, Solana Mobile presents a promising venue for the emergence of killer-applications uniquely enabled by this mobile-first, crypto-native distribution channel.

by Luke Leasure

/

news

article-image

Analysis

Empire Newsletter: How US presidencies map to crypto markets

Plus, breaking down Donald Trump’s shifting crypto stance

by Katherine Ross&David Canellis /
article-image

DeFiMarkets

Mt. Gox customers to receive crypto assets after 10-year wait

Markets are holding relatively steady despite the supply shock

by Donovan Choy /
article-image

Markets

Markets brace for volatility as VIX rises to highest level since April 

Analysts are looking ahead to August, a historically volatile month made more interesting this year by the US presidential election

by Casey Wagner /
article-image

Analysis

On the Margin Newsletter: A notoriously rough month for markets is upcoming

Plus, a look into Lighting Labs’ newest feature

by Casey Wagner /
article-image

Opinion

Crypto investors must embrace new tax rules or risk falling behind

Crypto’s Wild West era is over — it’s time to embrace regulation to secure the future of digital assets

by Zac Townsend /
article-image

Analysis

Lightspeed Newsletter: Wine tokenization on Solana

Plus, Solana has now surpassed Ethereum in trailing 30-day decentralized exchange volume

by Jack Kubinec&Jeff Albus /