Cryptocurrency bridge Nomad was hit by a wild attack on Monday that cost the platform some $200 million worth of crypto assets. The incident involved exploiting a smart contract flaw that allowed anyone to drain funds from vulnerable accounts.
Nomad is a popular bridge service that lets users swap crypto tokens and data between different blockchains.
The platform disclosed the attack in a tweet on Monday. Initially, Nomad labeled it an “incident” that underwent investigation. On Tuesday, the company released a new statement saying that the team is “working around the clock to address the situation.”
The second statement also mentioned the involvement of law enforcement and “leading firms for blockchain intelligence and forensics” in the investigation.
A researcher under the moniker samczsun at crypto/Web3 investment firm Paradigm explained the attack in an elaborate Twitter thread. The security incident was first reported on the ETHSecurity Telegram channel and analyzed by various security researchers.
As it turns out, Nomad misconfigured a smart contract during a routine upgrade, triggering the auto-proving (spoofing) of every message on the bridge. The chaotic nature of the hack stemmed from its simplicity: users just needed to identify valid transactions, replace the receiver’s address with their own, and re-broadcast them.
Once they caught wind of the malicious technique, users went on a spree and drained the bridge accounts.
“tl;dr a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad,” reads samczsun’s tweet. “Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all.”
Fortunately, Nomad might be able to recover some of the funds from “whitehats that drained preventively,” as Nassim Eddequiouaq, CISO for Crypto at venture capital firm a16z, suggests. On the other hand, the identities of most users who drained Nomad’s accounts remain widely unknown.