Nomad Bridge Loses $190m in Crypto Hack

Nomad Bridge Crypto Hack

Crypto bridge Nomad has lost $190 million in cryptocurrencies due to an exploit.

Bridges are a kind of software which allow tokens to be interoperable across blockchains. In recent months, bridge attacks have become more frequent, as hackers have noticed an increase in demand for swapping assets between chains.

Nomad bridge is a cross-chain communication standard that allows for users to send and receive tokens between different blockchains such as Ethereum, Evmos, Avalanche, Milkomeda C1, and Moonbeam.

Confirming the incident, Nomad has stated that they will update users accordingly once progress is made on investigation. As of writing, Nomad has not yet published instructions regarding the return of bridge funds, and has reminded the community not to take heed of updates outside of Nomad’s official communication channels.

Amongst the incident’s first reporters was a tweet from @speekaway, showing a screenshot with a suspicious amount of transactions made on Nomad bridge. At first, it can be interpreted that the bridge was running a “‘send 0.01 WBTC, get 100 WBTC back’ promotion,” however, Nomad was at a point where it was losing about $10M per minute.

Through manual digging, @samczun, a researcher at the crypto investment firm Paradigm found that by digging through the Moonbeam network, which bridges to Nomad, transactions were not properly “proofed” – they were only declared as “processed” and therefore not checked by the system.

However, Moonbeam has tweeted that they have no evidence that the incident was related to the Moonbeam codebase.

According to another crypto researcher @ParadigmEng420, the process function in a transaction allows the checking of the domain of the message is correct and is signed for the intended transaction; that the message has been proven by the prover; and that it calls the handler to do what the message wants, i.e. bridging tokens.

As these transactions were not properly checked, @samczsun has detailed in a series  of tweets that the problem lies in the common practice in which zero values are used as initiation values, causing the detrimental effect of automatically proving transactions.

Adding to the confusion, an anonymous user has come forth stating that the Nomad bridge incident is a whitehack, and that they “plan to return the funds.”

Just a few days before the hack, Nomad had announced its list of investors in its $22 million seed round. Led by Polychain capital, other backers include Coinbase Ventures, Capital,  Ethereal Ventures, and Hack VC.

Share Post: