Crypto bridge Nomad has lost $190 million in cryptocurrencies due to an exploit.
Bridges are a kind of software which allow tokens to be interoperable across blockchains. In recent months, bridge attacks have become more frequent, as hackers have noticed an increase in demand for swapping assets between chains.
Nomad bridge is a cross-chain communication standard that allows for users to send and receive tokens between different blockchains such as Ethereum, Evmos, Avalanche, Milkomeda C1, and Moonbeam.
Confirming the incident, Nomad has stated that they will update users accordingly once progress is made on investigation. As of writing, Nomad has not yet published instructions regarding the return of bridge funds, and has reminded the community not to take heed of updates outside of Nomad’s official communication channels.
We’re aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds. We aren’t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad’s official channel: @nomadxyz_
— Nomad (⤭⛓🏛) (@nomadxyz_) August 2, 2022
Amongst the incident’s first reporters was a tweet from @speekaway, showing a screenshot with a suspicious amount of transactions made on Nomad bridge. At first, it can be interpreted that the bridge was running a “‘send 0.01 WBTC, get 100 WBTC back’ promotion,” however, Nomad was at a point where it was losing about $10M per minute.
Through manual digging, @samczun, a researcher at the crypto investment firm Paradigm found that by digging through the Moonbeam network, which bridges to Nomad, transactions were not properly “proofed” – they were only declared as “processed” and therefore not checked by the system.
However, Moonbeam has tweeted that they have no evidence that the incident was related to the Moonbeam codebase.
According to another crypto researcher @ParadigmEng420, the process function in a transaction allows the checking of the domain of the message is correct and is signed for the intended transaction; that the message has been proven by the prover; and that it calls the handler to do what the message wants, i.e. bridging tokens.
10/ It turns out that during a routine upgrade, the Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case it had a tiny side effect of auto-proving every message pic.twitter.com/fA3XbNW9qT
— samczsun (@samczsun) August 2, 2022
As these transactions were not properly checked, @samczsun has detailed in a series of tweets that the problem lies in the common practice in which zero values are used as initiation values, causing the detrimental effect of automatically proving transactions.
This is a whitehack. I plan to return the funds. Waiting for official communication from Nomad team (please provide an email id for communication). I have not swapped any assets even after knowing that USDC can be frozen. Transferred USD…https://t.co/ffWoS2kOSA
— Notifi Bot (@notifi_xyz) August 2, 2022
Adding to the confusion, an anonymous user has come forth stating that the Nomad bridge incident is a whitehack, and that they “plan to return the funds.”
Just a few days before the hack, Nomad had announced its list of investors in its $22 million seed round. Led by Polychain capital, other backers include Coinbase Ventures, Crypto.com Capital, Ethereal Ventures, and Hack VC.