It happened again: hackers attacked a blockchain bridge causing millions of dollars to be lost. This time the victim was Nomad, a bridge that allows users to exchange tokens from blockchain. According to the project’s Twitter account, a hacker attack would have led to the loss of approx 200 million dollars. The first signs of this “accident” would have appeared on Monday 1 August, so much so as to convince the Nomad team to work “24 hours a day to deal with the situation”. Yet the question seems to have degenerated, so much so as to create many problems for bridge.
Nomad: the bridge victim of a hacker attack
There has been great chaos in the Nomad bridge business in the past few days. A hacker, in fact, created quite a stir and ended up stealing about 200 million dollars from him. In a Twitter thread, samczsun – a researcher at the cryptocurrency investment firm and Web3 Paradigm – explained that the attack was made possible by an incorrect configuration of the project’s master contract, which allowed anyone with basic knowledge of the code to authorize withdrawals to themselves. “That’s why the hack was so chaotic – he wrote -. You didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find / replace the other person’s address with yours, and then relay it. “
The Security team at @a16z Crypto has investigated and found the root cause of the @nomadxyz_ bridge hack. Nothing to be done at this time except getting funds back from whitehats that drained preventively.
We’ll work with ecosystem members to prevent such issues in the future. https://t.co/UpIagMJctQ
— Nass – nassyweazy.eth (@nassyweazy) August 2, 2022
The dynamics described by samczsun created a real chaos, with users who ended up substituting their addresses to replicate the attack. Enough to lead to what one user called “the first decentralized looting of a 9-digit bridge in history”. In a more optimistic view, Nassim Eddequiouaq by Andreessen Horowitz suggested that the funds could be recovered from “pre-dried whitehats”. Although it seems that the identities of those who managed to steal funds from the Nomad bridge are still unknown. On the other hand, it is undeniable that blockchain bridges are among the most coveted targets of hackers. The reason? The great value of the assets they often hold. And the complexity – which translates into vulnerability – of the smart contract code on which they run.
During the year, two hacker attacks resulted in the loss of nearly a billion dollars. In February the bridge Wormhole it was hacked for $ 325 million after a hacker found an error in the open source code uploaded to GitHub and exploited it. And in March, a hacker stole about $ 625 million from the blockchain Ronin, the basis of the Axie Infinity game. “Protecting cross-bridges from profitable attacks like this is one of the most pressing problems facing the Web3 community,” said Professor Ronghui Gu, CEO and co-founder of CertiK. “Their security posture must be firm and this is where many of the new developments in Web3 security will be most needed.”