\nHackers abuse \u2018chaotic\u2019 Nomad exploit to drain almost $200M in crypto<\/br>
\n2023-01-20 22:24:13<\/br><\/p>\n
![](\"https:\/\/i0.wp.com\/techcrunch.com\/wp-content\/uploads\/2020\/06\/GettyImages-1174590894.jpg?w=1140&ssl=1\")
\n\t\t<\/div>\n<\/p><\/div>\nCross-chain messaging protocol Nomad has become the target of crypto\u2019s latest nine-figure attack after hackers abused a \u201cchaotic\u201d security exploit to steal almost $200 million in digital assets.<\/p>\n
Nomad, a token bridge that allows users to send and receive tokens between Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Moonbeam (GLMR) and Milkomeda C1 blockchains, was attacked on Monday, with hackers draining almost all of the protocol\u2019s funds.<\/p>\n
Approximately $190.7 million in crypto was stolen from the bridge, according to decentralized finance tracking platform DeFi Llama<\/a>, which shows that the current total value locked \u2014 the amount of user funds deposited in a DeFi protocol \u2014 is less than $12,000 at the time of writing.<\/p>\n Nomad has yet to confirm how hackers were able to steal the funds. But according to samczsun<\/a>, the head of security at web3 investment firm Paradigm<\/a>, a recent update to one of Nomad\u2019s smart contracts made it easy for users to spoof transactions. This meant that when a user transferred funds from one blockchain to another, Nomad allegedly never checked the amount, enabling the user to withdraw funds that didn\u2019t belong to them. For example, a user could send 1 ETH, then manually call the smart contract on the other blockchain to receive 100 ETH. Blockchain audit company Zellic also came to<\/a> the same conclusion.<\/p>\n \u201cIt\u2019s like using a checkbook to withdraw funds from a bank, and the bank doesn\u2019t verify if we actually hold enough money,\u201d Adrian Hetman, tech lead of the triaging team at web3 bug bounty program Immunefi, told TechCrunch. \u201cThey only care that the check itself looks valid.\u201d<\/p>\n 12\/ tl;dr a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy\/paste transactions and quickly drained the bridge in a frenzied free-for-all<\/p>\n \u2014 samczsun (@samczsun) August 2, 2022<\/a><\/p>\n<\/blockquote>\n<\/div>\n Samczun explains that, unlike most bridge attacks where a single culprit is behind the entire exploit, the \u201cchaotic\u201d Nomad attack was a free-for-all whereby opportunists flocked to steal funds from the bridge once word had got around, resulting in what the researcher described as a \u201cfrenzied free-for-all.\u201d Blockchain security firm Peckshield<\/a> said more than 41 addresses drained $152 million \u2014 or 80% of the stolen funds.<\/p>\n \u201cAll that was required to exploit it was to copy the original hacker\u2019s transaction and change the original address to a custom one. Simple copy-paste,\u201d Hetman added.<\/p>\n The incident affected Wrapped Ether (WETH), USD Coin (USDC), WBTC and other tokens that were drained from the bridge.<\/p>\n TechCrunch contacted Nomad but has yet to receive a response. However, the company took to Twitter<\/a> to warn about impersonators trying to collect funds.\u00a0\u201cWe\u2019re aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds,\u201d it said. \u201cWe aren\u2019t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad\u2019s official channel.\u201d<\/p>\n In a separate tweet, Nomad confirmed it has notified\u00a0law enforcement and retained leading firms for blockchain intelligence and forensics with an aim to \u201cidentify the accounts involved and to trace and recover the funds.\u201d<\/p>\n The attack comes just days after Nomad revealed<\/a> that a number of high-profile crypto investors, including\u00a0Coinbase Ventures<\/a>,\u00a0OpenSea<\/a>, Polygon and Crypto.com Capital, had participated in its $22 million April seed round, which landed the company a $225 million valuation.<\/p>\n \u201cAt Nomad, our goal is to make it safer to communicate across blockchains,\u201d Nomad said last week. \u201cWe believe that secure cross-chain messaging is the key to uniting DeFi ecosystems and unlocking the true power and potential of block space, wherever it may be.\u201d<\/p>\n The Nomad attack is the latest in a string of highly publicized incidents which have drawn the security of cross-chain bridges into question. Axie Infinity\u2019s Ronin Bridge lost more than $600 million in a hack<\/a>\u00a0in April this year and Harmony\u2019s Horizon bridge was drained of $100 million in June<\/a>.<\/p>\n<\/p><\/div>\n <\/br><\/br><\/br><\/p>\n\n