Bad code resulted in $190 million being taken from Nomad Bridge, a cryptocurrency protocol that allows people to move cryptocurrencies between different blockchains. In so-called “decentralized theft”, a bug in Nomad’s code allowed people to steal money they didn’t have by simply copying and pasting a script.
All blockchains may be indistinguishable to the uninitiated, but crypto traders often use several, such as Ethereum, Avalanche, Solana, etc. Exchange of tokens between different blockchains – for example, receiving bitcoins and using them on the Ethereum blockchain, or receiving ether and using them in Solana — can actually be quite complex. To meet this demand, several companies have created “cross” bridges. You deposit cryptocurrencies into a smart contract on a blockchain and “link” these tokens to another blockchain.
The key point when it comes to Monday’s exploit is that this entire process depends on locking cryptocurrencies in a smart contract. One ether deposited in an Ethereum smart contract acts as collateral for the ether that the user receives, for example, on the Avalanche blockchain. Nomad had over $190 million in public funds in the smart contract prior to the exploit. At the time of this writing, only $9,000 remains locked in the smart contract.
Unfortunately, the “upgrade” of this smart contract resulted in an exploit that could be exploited by anyone. Decentralized finance as it is – anonymous and notoriously degenerate – meant $190 million was sucked out of the protocol in a matter of hours.
Public Discord servers are showing posts of random people making anywhere from $3,000 to $20,000 with Nomad Bridge – all you had to do was copy the hacker’s first transaction and change the address, then hit send via Etherscan. Just like real crypto – the first decentralized theft. https://t.co/jWV9AamBer
— Fat Man (@FatManTerra) August 2, 2022
The nomadic bridge is being actively hacked. WETH and WBTC are being withdrawn in increments of $1 million. Withdraw all funds if you can, there is still $126 million left in the contract, which is probably at risk pic.twitter.com/oDo7oT1glW
— foobar (@0xfoobar) August 1, 2022
This attack on Nomad was something I had never seen before.
People began repeating the attack minutes later, with the original attacker systematically emptying the pool.
At one point, random dudes with the names ENS received a million US dollars for a deal. pic.twitter.com/KgBxAfLHtJ
— times (@leadinscientist) August 1, 2022
You need to know the Ethereum development language, Solidity, in order to understand the technical aspects. The bottom line is that the smart contract is broken. Some transactions that do not need to be approved can be sent and replicated. The suspicious transactions appear to have started around 9:13 AM PT when several wallets withdrew 100 bitcoins ($1.7 million) from the bridge. All that had to be done from there was to copy and paste the exact script used by the scammer, replacing the original exploiter’s wallet number with his own, and pass it on. Others have withdrawn in Ethereum and the USDC stablecoin, among other tokens.
“That’s why the hack was so chaotic,” said Sam Sun, a researcher at crypto investment firm Paradigm, in a tweet dissecting the exploit. “You didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find the transaction that worked, find/replace the other person’s address with yours, and then resubmit the request.
“Easy as CTRL-C, CTRL-V,” another blockchain researcher tweeted.
Since most people copied and pasted information, funds were distributed in equal installments. For example, there have been hundreds of transactions where people have withdrawn $202,440 in USDC stablecoin.
In the blockchain equivalent of America’s dumbest criminals robbing gas stations with their tag, some people have mined their smart contract with public wallet addresses meant to be tracked. Many returned the funds. Others claimed they acted in good faith by withdrawing the funds they pledged to protect and returning them when the smart contract was secured.
“We are aware of an incident involving the Nomad Token Bridge,” Nomad said in a Twitter statement. “We are currently investigating and will provide updates when we have them.”
Nomad was contacted for comment but did not immediately respond.