Internet-based messaging protocol Nomad has been the target of the latest nine-figure crypto attack after hackers abused a “chaotic” security exploit to steal nearly $200 million worth of digital assets.
Nomad, a token bridge that allows users to send and receive tokens between the Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Moonbeam (GLMR) and Milkomeda C1 blockchains, came under attack on Monday when hackers ravaged nearly all of the protocol’s facilities .
Approximately $190.7 million in cryptocurrency was stolen from the bridge, according to the decentralized finance tracking platform. Defi lamawhich shows that the current total value locked — the amount of user funds deposited into the DeFi protocol — is less than $12,000 at the time of writing.
Nomad has yet to confirm how the hackers managed to steal the funds. But according to samchsunhead of security department at web3 investment company Paradigm, a recent update to one of Nomad’s smart contracts has made it easier for users to fake transactions. This meant that when a user transferred funds from one blockchain to another, Nomad supposedly never verified the amount, allowing the user to withdraw funds that did not belong to them. For example, a user can send 1 ETH and then manually call a smart contract on another blockchain to receive 100 ETH. Blockchain audit company Zellic also came to the same conclusion.
“It’s like using a checkbook to withdraw funds from a bank, and the bank doesn’t check if we really have enough money,” Adrian Hetman, technical leader of the triage team at Immunefi’s web3 bug bounty program, told TechCrunch. “All they care about is that the check itself looks valid.”
Samchun explains that, unlike most bridge attacks where there is one criminal behind the entire exploit, the “chaotic” nomad attack was free for everyone, with opportunists flocking to steal funds from the bridge as soon as it became known, leading to as described by the researcher. like a “rabid pervert”. Blockchain security firm Packshield said $152 million was spent from over 41 addresses, or 80% of the stolen funds.
“All that was required to use it was to copy the original hacker transaction and change the original address to a custom one. The usual copy-paste,” Hetman added.
The incident affected Wrapped Ether (WETH), USD Coin (USDC), WBTC and other tokens that were merged from the bridge.
TechCrunch has contacted Nomad but has yet to receive a response. However, the company got on twitter to warn about scammers trying to raise funds. “We are aware of scammers posing as nomads and providing fraudulent addresses to raise funds,” the message says. “We are not yet giving instructions for the return of interim funds. Ignore messages from all channels except the official Nomad channel.”
In a separate tweet, Nomad confirmed that it has notified law enforcement and hired leading blockchain intelligence and forensics firms to “identify accounts involved and trace and recover funds.”
The attack came just days after Nomad disclosed that a number of well-known crypto investors, including Coinbase Ventures, The open seaPolygon and Crypto.com Capital participated in a $22 million April seed round, valuing the company at $225 million.
“Our goal at Nomad is to make communication over blockchains more secure,” Nomad said last week. “We believe secure messaging across networks is key to bringing DeFi ecosystems together and unlocking the true power and potential of the block space, wherever it is.”
The Nomad attack is the latest in a string of highly publicized incidents that have cast doubt on the security of bridges. Axie Infinity’s Ronin Bridge lost over $600 million in a hack this April and Harmony’s Horizon Bridge lost $100 million in June..
Credit: techcrunch.com /