Hack turns into $190 million DeFi free for all
The $190 million hack of Nomad, a cross-chain bridge protocol used to transact between different blockchains is unusual in one respect.
Monday’s (August 1) theft wasn’t committed by a single bad actor – but apparently by hundreds who were able to simply cut and paste the transaction used in the first attack, replacing their own wallet addresses.
The size of the attack – taking the Nomad Bridge’s wallet from $190.7 million to a few hundred dollars – meant that 14,000 users were stolen.
This is the fourth major bridge protocol hack of the year, following the $320 million Wormhole hack in February, the $620 million Ronin hack in April, and the $100 million Horizon hack in June. . In the first two cases, the attack was an exploit in which a “black hat” hacker found a weakness in the code. Horizon attackers have apparently compromised the private key codes of several validators that secure proof-of-stake blockchains by ensuring that transactions are valid.
Read more: The $100 Million Hack and Crypto’s Cross-Chain Payments Problem
Bridge protocols facilitate cross-chain payments and transactions by allowing users to deposit a token (often ether or Ethereum stablecoins) and withdraw a “wrapped” – temporary – version of the native token from the second string that can be used on the new. When the wrapped tokens are replaced and a fee is paid, users can unlock the crypto they deposited.
Exploiters usually find a way to trick the deck into letting them withdraw tokens they haven’t deposited.
Normally, exploiting a flaw in a project’s code requires substantial expertise in both cryptographic programming languages - typically, Solidity, developed for Ethereum and used by many competitors – and deep technical knowledge of how blockchains work, decentralized finance and bridge protocols.
That wasn’t the case with Nomad, according to Sam Sun, a researcher for Paradigm, a Web3 investment firm.
While the original hacker needed that expertise, the flaw was so basic anyone could exploit it once they knew how, he said on Twitter.
11/ That’s why the hack was so messy – you didn’t need to know Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with your own, then re-send it
— samczsun (@samczsun) August 2, 2022
“You didn’t need to know about Solidity or Merkle Trees or anything like that,” Sun said. “All you had to do was find a transaction that worked, find/replace the [digital wallet] address with yours, then repost it. Attackers abused it to copy/paste transactions and quickly emptied the deck in a frantic free for all.
Blockchain security firm Certik said in a analysis of the attack that a faulty update to the Nomad code allowed an attacker to “bypass the message verification process and flush bridge contract tokens”.
A blockchain security researcher told TechCrunch, “It’s like using a checkbook to withdraw funds from a bank, and the bank doesn’t check whether we actually have enough money” in the account to cover it. “They only care that the check itself looks valid.”
Certik added that “over four hours, other hackers, bots and community members replicated the initial attack, draining it into a frenzied mob attack in what [blockchain developer and] The Twitter user “@0xfoobar called, ‘…the first decentralized plunder of a 9 digit bridge in history?'”
Nomad, whose Twitter account bio states that “the future of cross-channel communication is optimistic,” Noted that he is “working around the clock to remedy the situation and has notified law enforcement and retained the services of leading companies for blockchain intelligence and forensics. Our goal is to identify the accounts involved and to trace and recover the funds.
While some questions have been raised as to whether this was truly mob-style looting rather than an attacker pretending to be multiple, Nomad also Noted that many “white hat” hackers reached out saying they had taken funds in order to protect them from theft and asked where to return them.
In April, Nomad raised $22.4 million in a seed funding round led by leading crypto venture capital firm Polychain Capital.
In his announcementNomad said its “cross-chain messaging protocol addresses the growing need for more secure blockchain interoperability…Unlike validator-based cross-chain bridges, Nomad does not rely on a large number of external parties and a single honest actor is needed to ensure the security of the whole system.
For all the PYMNTS Crypto coverage, subscribe daily Crypto Newsletter.