A bug in the smart contract cost the Nomad cryptocurrency bridge almost $200,000,000, and allowed the attackers to pull off what experts call “the first decentralized mass heist in history.”
The Nomad bridge, which provides transfers between the Ethereum, Avalanche, Moonbeam, Evmos and Milkomeda blockchains, was the victim of an attack earlier this month. For the first time, the incident was mentioned in the official Twitter account of Nomad on August 1, 2022, as a kind of “incident”, but already on August 2, the developers reported that they were “working around the clock to eliminate the situation” and notified law enforcement agencies about the incident.
An expert from crypto and Web3 investment firm Paradigm explains that the attack was due to a misconfiguration of the project’s main smart contract during the upgrade. The bug allowed anyone with at least a basic understanding of the code to allow themselves to cash out.
“That’s why the hack turned out so chaotic. You didn’t need to know about Solidity, Merkle Trees or anything like that. All that had to be done was to find the transaction that worked, find/replace the address of the other person with your own, and then relay it,” the specialist writes.
In turn, the company CertiK, specializing in blockchain security, notes that in this case the domino principle worked when people saw that funds were stolen using the above method and substituted their own addresses to reproduce the attack. This led to what Twitter called “the first ever decentralized mass heist” in which approximately $200 million in crypto was stolen.
Now, some experts believe that some of the stolen funds could have been preventively withdrawn and saved by white hats, whose identities are unknown. It is assumed that they can return the “stolen”.
Be that as it may, currently Nomad’s TVL (total value locked, the amount of blocked or frozen funds on the smart contract of a project or a specific liquidity pool) is only about $77,000, although before the incident this figure exceeded $190 million.
It must be noted that this is far from the first major heist of a cryptocurrency bridge. For example, in March of this year, due to the compromise of the Ronin blockchain, which is closely related to the popular NFT game Axie Infinity, more than $600 million was stolen. A month earlier, in February 2022, the Wormhole blockchain bridge was hacked, and then the attackers stole over $320 million.