On Monday, the Nomad cross-chain token bridge was attacked, and the attackers practically drained the protocol of all its cash. Nearly $200 million worth of bitcoin was lost as a result of the hack.
Similar to previous cross-chain bridges, Nomad enables users to transfer tokens back and forth between several blockchains. The attack on Monday is the most recent in a line of widely reported instances that have raised concerns about the safety of cross-chain bridges.
In a message to CoinDesk, the Nomad team admitted to the vulnerability. Leading organizations for blockchain intelligence and forensics have been retained, according to the team, and an investigation is still continuing. “We have alerted law enforcement, and we are working nonstop to resolve the issue and deliver timely information. Identification of the implicated accounts, money recovery, and money tracing are our objectives.”
What happened?
Bridges generally function by reissuing tokens in “wrapped” form on a different chain after locking them up in a smart contract on one network.
The wrapped tokens lose their backing if the smart contract where they were first placed is compromised, as happened in Nomad’s instance, making them useless.
A researcher at the cryptocurrency investing company Paradigm named @samczsun revealed on Twitter that a recent change to one of Nomad’s smart contracts made it simple for users to counterfeit transactions. The Nomad bridge may thus be used by users to withdraw money that did not genuinely belong to them.
The Nomad assault was free for all, unlike typical bridge attacks when a single perpetrator is responsible for the whole vulnerability.
… Solidity, Merkle Trees, and other concepts weren’t necessary for you to understand. All you had to do was locate a successful transaction, locate/replace the other party’s address with your own, and then re-broadcast it, according to @samczsun.
Nomad: A ‘secure’ alternative
Bridge attacks have risen in frequency over the past several months as cryptocurrency users have shown a greater desire to transfer funds across various blockchains.
While cross-chain bridges have enabled the spread of fledgling blockchains, bridge failures may be disastrous for smaller chains that depend on them for a significant portion of their overall liquidity.
One of Nomad’s more recent blockchains, Evmos, tweeted that because the Nomad assault “seriously damages original Evmos [total value locked],” it would be “brainstorming community solutions.”
The Ronin bridge assault in April, the biggest decentralized finance (DeFi) attack in history, resulted in the theft of over $600 million in cryptocurrency from the bridge that drives the blockchain-based game Axie Infinity.
A few months prior to it, the Solana blockchain community and the larger decentralized financial ecosystem were rocked by the theft of nearly $300 million from the Wormhole bridge.
Investors were lured in by Nomad’s promise that its platform would be inherently safer than competing ones.
Just last week, it came to light that leading cryptocurrency investors OpenSea and Coinbase Ventures were among those who took part in an April seed round that valued the firm at $225 million.
