As evidenced by its namesake, apparently there wasn’t much security stopping a hoard of wandering strangers from breaking into the Nomad DeFi project’s token bridge, allowing hundreds of unknown hackers and some users to walk away with over $US190 ($274.92) million crypto, leaving behind a bare pittance in the project’s wallet.
Late on Monday, users started noticing tokens being extracted from Nomad’s accounts “in million-dollar increments.” Crypto security company CertiK confirmed in a Tuesday analysis that the bridge protocol, which allows users to send tokens between separate blockchains, had been breached thanks to a routine upgrade that allowed bad actors to skip verification messages. CoinTelegraph reported that the first transaction, likely the initial hacker, managed to remove about $US2.3 ($3.33) million in crypto from the bridge.
190M in total hacked from nomad bridge
here’s the breakdown by token, mainly USDC, WETH and WBTC pic.twitter.com/j465fTVKzs
— 0xngmi is comfy (@0xngmi) August 1, 2022
Apparently, this breach further allowed other users to exploit the bridge, turning it essentially into a Black Friday-esque free-for-all. CertiK’s analysis further said the vulnerability was in the token bridge’s initialization process, introduced in the flawed upgrade, allowing users to copy and paste the original hackers transaction number and replace it with a personal one. Researchers said in just four hours, other hackers, bots, and even community members drained the protocol in a “frenzied mob.”
The crypto developer who goes by Foobar on Twitter wrote that this attack was “the first decentralized crowd-looting of a 9-figure bridge in history.” There are hundreds of addresses that show they’ve received tokens from the bridge during the exploit.
Some users have actually gone back to the protocol, hanging their heads in shame and offering to return the stolen funds. Some claimed it was “an accident,” while others said they were trying to protect their friend’s assets, according to screenshots posted by Foobar. DefiLlama shows that the current value of the blockchain is sitting at just a little under $US16,000 ($22,211).
A couple of those grabbing bridge funds, some who have publicly come forward and offered to return
🍉🍉🍉.eth
Rari Capital Exploiter
darkfi.eth pic.twitter.com/2adlMl6Pj3— foobar (@0xfoobar) August 2, 2022
Others who said they drained funds claimed they were “whitehackers” trying to keep crypto safe and are waiting to return the funds, though Gizmodo was unable to verify any of these supposed whitehacker’s claims, nor how much funds these good-faith actors tried to save. A Nomad representative told Cointelegraph they were grateful of “many” whitehackers who safeguarded funds.
For its part, Nomad wrote on Twitter it was “working around the clock to address the situation.” Developers said they contacted law enforcement while they work to “identify the accounts involved and to trace and recover the funds.” This apparent software bug isn’t a good look when in the past, the company exalted its belief in a “security-first, cross-chain future.”
Of course, Nomad had been a darling of crypto investors just a few months ago, winning $US22 ($31) million in a seed round led by the crypto investor Polychain Capital.
This isn’t the only bridge to be hacked this year. The Ronin Bridge, used by the developers of play-to-earn game Axie Infinity, was hacked for nearly $US625 ($904) million earlier this year. Hackers were reportedly able to exploit the network by contacting a developer on LinkedIn, and after several rounds of interviews, offered him a fake job offer PDF that contained malware, allowing access to his computer. Despite efforts to return users’ stolen crypto and restore the bridge, they have yet to wholly restore past users’ trust in their systems.