Logo
Avatar
|
94Views

$200M was stolen in a hacker attack on the Nomad Bridge

On August 01, 2022, a hacker stole $190 million worth of assets from Nomad cross-protocol. The stolen tokens are currently being "laundered" through the popular crypto-mixer Tornado.Cash.

Nomad Bridge provides infrastructure for the interconnect projects, allows dApps in different ecosystems to interact with each other and transfer tokens between Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Milkomeda C1 and Moonbeam (GLMR). As of April 2022, the project had a total capitalization of $225 million.

Also noteworthy is that a few days ago the service received $22 million of venture funding from Polychain Capital, Wintermute and Coinbase Ventures funds.

The analysts of the TokenScope dived into the details of the hack and did their own research of the theft of funds.

The hack was discovered by one of the users who Twitted that incoming transactions from the Nomad Bridge in the Moonbeam network by 0.01 WBTC 0xcca9299c739a1b538150af007a34aba516b6dade1965e80198be021e3166fe4c do not correlate in amount to 100 WBTC withdrawal from Nomad Bridge in Ethereum network 0xa5fe9d044e4f3e5aa5bc4c0709333cd2190cba0f4e7f16bcf73f49f83e4a5460.

At the same time, the transaction confirmations of the withdrawal of funds to WBTC from Nomad Bridge were missing in the transaction code, this fact indicated disruptions in the bridge contract itself.

Further examination, revealed that during a normal update, the Nomad team initialized the trusted root equals to 0x00. (Using zero values as initialization values is common practice). Unfortunately, in this case it had the "small side effect" of skipping the automatic check of each message, meaning that any transaction sent did not require any approval. The existence of such a vulnerability was highlighted in a security audit report, which was released in the first week of June.

All you had to do was to find a transaction that worked, find and replace the other person's address with your own, and then re-broadcast it. The hackers took the advantage of it and quickly emptied the bridge.

The hackers initially withdrew $2.3 million worth of WETH and WBTC, with a message on Twitter at 01:35 02 August 2022 that Nomad still had the funds:

A few hours later the remaining funds by more than 200 transactions were withdrawn from the Nomad Bridge and in various coins such as Covalent Query Token (CQT), USD Coin (USDC), Frax (FRAX), IAGON (IAG), Hummingbird Governance Token (HBOT), Card Starter (CARDS), GeroWallet (GERO), DAI and others.

A Part of the funds was withdrawn through the well-known crypto-mixer Tornado.Cash, as well as via wallets on the UniSwap exchange. The other part of funds is currently distributed to 41 addresses, among which there are 7 bot addresses, 6 addresses belonging to "white" hackers and the address of the intruder who took part in the RariCapital hack in late April this year:

After the attack on the service, the Cardano Charli3 (C3) decentralized oracle network token dropped 87% in the moment.

Such a chaotic attack indicates the involvement of several hackers and their groups in the theft of funds.

Nomad developers commented the next day that they were aware of the incident and were currently investigating it. As the situation becomes clearer, the team will provide more information. However, it is unlikely that depositors will be able to get their money back, since the service has actually been looted.

We keep monitoring the further development of the situation.

You can report us any cases related to specific cryptocurrency addresses and the considered risks at TokenScope via "Report cryptocurrency address" form. This will help to protect other users from the risks of interacting with such addresses and their owners.

The TokenScope Team
#TokenScope #NomadBridge #crypto #hacked
More about TokenScope cryptocurrency risk assessment & investigation platform at: