Nomad Token Bridge Got $190M In ‘Frenzied Free-For-All’

While lone wolves perpetrate most crypto attacks, the $190 million breach of the Nomad cross-bridge on Monday looks to have resulted from a feeding frenzy of hundreds of malicious individuals.

Yesterday, $190 million in different crypto assets were stolen from Nomad’s cross-chain bridge after a software upgrade uncovered a severe vulnerability that enabled anybody to withdraw cash from the bridge.

Nomad exploit onchain activity, visualized. pic.twitter.com/WqjcbQfWKW

— Hsaka (@HsakaTrades) August 1, 2022

The blockchain security startup PeckShield revealed that an unidentified hacker found the flaw on Monday and promptly stole roughly $95 million. As word of the first vulnerability went across the crypto community, others hastened to help the original hacker in stealing funds.

Over 300 addresses had received cash from Nomad within an hour. The company estimates that 41 of them stole $152 million, or 80% of the stolen cash from the cross-chain bridge of Nomad.

However, they were not all awful actors. PeckShield’s study uncovered at least six addresses belonging to white hackers, or ethical hackers, who stole around $8.2 million from the bridge. It is believed that they will repay the funds.

Nomad is a cross-chain bridge that facilitates the transfer of ERC-20 tokens across Ethereum, Moonbeam, Evmos, and Avalanche. It is one of the available bridge services in crypto space.

Why did everything go wrong?

According to PeckShield, Nomad developers disclosed the bug during a smart contract upgrade. It was caused by the developers’ erroneous modification of the bridge’s smart contract and deployment of the code without sufficient auditing.

We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.

— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022

The Nomad bridge attack is feasible because of an erroneous setup that resulted in the zero address (0x00) being identified as a trusted root, causing every message to be validated by default.

By marking 0x00 (the zero address), the trusted root inadvertently disabled a smart contract check that guaranteed legitimate addresses could receive withdrawals.

After the vulnerability was put into Nomad’s code, withdrawal requests from any address were by default deemed genuine. This indicated that anybody might take funds from the bridge.

The vulnerability does not need a deep technical understanding of smart contracts. It only required Updating the hacker’s transaction using Etherscan, changing the recipient’s address with one’s own, and submitting a withdrawal request on the Nomad bridge.