Nomad Bridge Hack: Here’s the Full Account of How Exploit Happened

Updated on Aug 2, 2022 at 1:08 pm UTC by · 2 mins read
an image

The exploit left open access to all users who knew what to do and exactly how to do it.

The Nomad bridge hack is the latest in a list of security exploits that are now commonplace with cross-chain bridges and the world of decentralized finance (DeFi) at large. According to statements issued by Nomad, it lost funds over $190 million in the Monday exploit that lasted for a few hours.

What Led to the Nomad Bridge Hack?

Typically, bridges like Nomad operate by locking up tokens in a smart contract on one chain. They then reissue the same tokens on another chain, but this time in a ‘wrapped form.

For the Nomad bridge hack, however, it was the smart contract where its tokens are locked up, that got exploited, all thanks to a recent update.  As a researcher identified as @samczsun pointed out on Twitter, the update opened up a loophole in Nomad’s smart contract. And that allowed users to fake transactions, withdrawing funds from the bridge that wasn’t necessarily theirs.

Meanwhile, the Nomad bridge hack is also different from others before it in terms of the number of attackers. Most bridge attacks in the past usually have a single attacker, but it was a different case with Nomad. The exploit left open access to all users who knew what to do and exactly how to do it.

According to PeckShield, 41 addresses took over $152 million in the hack. But that represents only about 80% of the total amount lost.

As Nomad itself has clarified, however, some of the drained funds were also initiated by some white-hat good actors. They acted in the interest of Nomad to ensure that the funds do not end up in the wrong hands.

A Growing Menace

The rising demand for cross-chain asset swapping by crypto users has also undeniably ushered in an era of frequent bridge attacks.

In March, the Ronin bridge attack resulted in the biggest DeFi attack to date to go down in history.  The bridge lost over $600 million worth of crypto to the attack at the time. Since then, the DeFi ecosystem has never been the same.

But even before the Ronin episode, the Wormhole bridge was also exploited in a similar fashion. It also lost $322 million in total to its February hack.

Summarily, while bridges such as Nomad have given blockchain startups the chance to proliferate, bridge hacks like these also hold the potential to ruin the smaller chains that rely on them for liquidity.

Share:

Related Articles

$45M DAI Transferred and Swapped for ETH by Nomad Bridge Exploiter

By August 5th, 2024

The hacker appears to be trying to cover their tracks while also preparing to launder the stolen funds.

Ronin Attackers Transfer Stolen $625 Million to Bitcoin Network

By August 22nd, 2022

The latest findings show that the attackers converted the rest of the Ronin assets to renBTC using 1inch or Uniswap. Since Ren allows transferring value between blockchains, the hackers managed to bridge the assets from Ethereum to the Bitcoin network.

Binance Helps Recover $450K from Siphoned Curve.Finance Hack

By August 12th, 2022

CZ affirmed that the recovered funds represent about 83% of the total stolen funds, and the exchange is currently cooperating with law enforcement agencies to help return the stolen amount.

Exit mobile version