Cross-chain messaging protocol Nomad has become the target of Crypto’s latest nine-figure attack after hackers misused a “messy” security exploit to steal nearly $200 million in digital assets.
Nomad, a token bridge that allows users to send and receive tokens between Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Moonbeam (GLMR) and Milkomeda C1 blockchains, was attacked on Monday, with Hackers almost all of it emptied log means.
About $190.7 million in crypto was stolen from the bridge, according to decentralized finance tracking platform DeFi Llama, showing that the current total value locked — the amount of user funds deposited in a DeFi protocol — at the time of the letter is less than $12,000.
Nomad has yet to confirm how hackers managed to steal the funds. But acc samczsun, head of security at web3 investment firm Paradigm, a recent update to a Nomad smart contract has made it easy for users to spoof transactions. This meant that when a user transferred funds from one blockchain to another, Nomad allegedly never verified the amount, allowing the user to withdraw funds that did not belong to them. For example, a user could send say 1 ETH and then manually invoke the smart contract on the other blockchain to receive 100 ETH. Blockchain auditing company Zellic came to it too the same conclusion.
“It’s like using a checkbook to withdraw money from a bank, and the bank doesn’t check that we actually have enough money,” said Adrian Hetman, technical lead of the triage team at the Web3 bug bounty program Immunefi, to TechCrunch. “They only care that the check itself looks valid.”
Samczun explains that unlike most bridge attacks, where there is a single culprit behind the entire exploit, the “chaotic” Nomad attack was a free-for-all attack, with opportunists flocking to steal funds from the bridge , as soon as word got around, leading to what the researcher described as a “frenzied free-for-all.” Blockchain security company pointed shield said more than 41 addresses siphoned $152 million — or 80% of the stolen funds.
“All that was required to exploit it was to copy the original hacker’s transaction and change the original address to a custom one. Just copy and paste,” added Hetman.
The incident involved Wrapped Ether (WETH), USD Coin (USDC), WBTC and other tokens being dumped from the bridge.
TechCrunch has contacted Nomad but has not yet received a response. However, the company went to twitter to warn of impersonators trying to raise money. “We are aware of impersonators posing as nomads and using fraudulent addresses to collect money,” it said. “We are not yet issuing instructions on the return of bridging funds. Ignore communications from all channels except the Nomad official channel.”
In a separate tweet, Nomad confirmed that it has notified law enforcement and hired leading blockchain intelligence and forensics firms with the goal of “identifying the accounts involved and tracing and recovering the funds.”
The attack comes just days after Nomad uncovered that a number of high-profile crypto investors, including Coinbase Ventures, OpenSea, Polygon, and Crypto.com Capital, participated in its $22 million seed round in April, which gave the company a $225 million valuation.
“Our goal at Nomad is to make communication over blockchains more secure,” Nomad said last week. “We believe secure cross-chain messaging is key to uniting DeFi ecosystems and unlocking the true power and potential of the block space, wherever it may be.”
The Nomad attack is the latest in a series of high-profile incidents that have challenged the security of cross-chain bridges. Axie Infinity’s Ronin Bridge lost more than $600 million in a hack in April this year, and the Harmony Horizon Bridge lost $100 million in June.
https://techcrunch.com/2022/08/02/nomad-chaotic-exploit-crypto/ Hackers abuse ‘chaotic’ Nomad exploit to drain almost $200M in crypto – TechCrunch