US-based crypto project Nomad was hit by a massive hack that compromised nearly $200 million on the platform. The hackers are said to have exploited a vulnerability in the platform’s transactional call data feature and exploited multiple users.
The company’s official Twitter name confirmed the hack and tweeted relevant details about an investigation into the matter and that more updates would follow.
We are aware of the Nomad Token Bridge incident. We are currently investigating and will provide updates as soon as we have them.
— Nomad () (@nomadxyz_) August 1, 2022
Many experts believe this is a very different and messy hack than some of the previous ones in crypto.
What is nomad?
Nomad is a US-based crypto project focused on interoperability between different networks, which is basically a way of connecting two blockchains. The project essentially uses programmable bridges to swap different cryptos on different blockchains much cheaper and more securely.
The company recently announced a list of investors in its $22 million funding round, in which venture capital firms like Polychain Capital, Crypto.com, Coinbase, and Ethereal Ventures were some of the big companies pooling the money.
The irony of the whole situation is that Nomad was very security conscious, touting itself as a security-focused cross-chain messaging protocol. So much so, in fact, that the CEO even said it was a “safe time” in January.
“We are safe” — @pranaymohan
— Nomad () (@nomadxyz_) January 27, 2022
How did the hack happen?
A security researcher, who goes by the alias “samczsun” on Twitter, explained the hack as “a routine upgrade marked the null hash as a valid root, allowing messages on Nomad to be spoofed.” Attackers abused this to copy/paste transactions and quickly looted the bridge in a frantic free-for-all.”
If you want to dive into the technical details of the whole hack, you can check out this security analyst thread.
1/ Nomad just got ripped off over $150 million in one of the messiest hacks Web3 has ever seen. How exactly did this happen and what was the cause? Allow me to take you behind the scenes pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
Experts say the vulnerability was so easy to exploit that other hackers could have simply copied the Nomad hacker’s transaction call data and used it to hack the platform.
Even more bizarre is that this very vulnerability was mentioned in the audit report released by QSP-19 a few months ago.
The section of the QSP-19 report that highlighted the vulnerability. (Photo: Quantstamp)
The hack happened within hours as the platform was drained from $200 million to zero. According to some tweets on Nomad’s official Twitter handle, some of the money was siphoned off by white-hat hackers and ethics researchers to ensure the entire amount didn’t fall into the hands of unscrupulous companies.
Nomad has also asked these individuals to send the funds they withdraw to specific addresses.
Some extra caution is required
Nomad says it is working around the clock to return the funds and has also notified law enforcement. It also works with chain analytics/intelligence company TRM Labs to trace the funds and identify recipients’ wallets in order to recover the funds.
Nomad Bridge Funds Recovery Process
Dear white hat hackers and friends of ethical researchers protecting ETH/ERC-20 tokens,
Please send the funds to the following wallet address on Ethereum: 0x94A84433101A10aEda762968f6995c574D1bF154 pic.twitter.com/UF623JSZ8u
— Nomad () (@nomadxyz_) August 3, 2022
It is important to know that more than $1.8 billion in crypto has been stolen in recent years as a result of these bridge hacks. The fact that these bridges are deployed so quickly without proper verification leads to hackers exploiting these vulnerabilities.
Even Ethereum creator Vitalik Buterin has spoken about his pessimism towards bridges as they are still among the most vulnerable when it comes to hacks.
This breach makes the whole situation worse for the crypto community as it could be perceived as a crypto hack (which it is not).
Crypto is going through one of its worst phases and the news of hacks related to crypto platforms are discouraging people from investing in technology. There is an urgent need to be more proactive in the development of such underlying technologies so that these vulnerabilities can be nipped in the bud.
— END —