Nomad, a cross-chain bridge project, became the name of the attack on the morning of August 2, leading to extremely serious damage because many people took advantage of the vulnerability.
Nomad was mercilessly drained by users
At around 04:30 AM on August 2, the community cryptocurrency on Twitter began to record strange transactions related to Nomad, a bridge project between Ethereum and Moonbeam, parachain specializing in smart contract Polkadot.
Specifically, the developer MetaMask @sniko_ đã chia sẻ về một loạt giao dịch trả phí đến 350.000 USD nhưng vẫn thất bại. Sau đó, người này phát hiện ra đây là một nỗ lực tấn công vào Nomad, rút hàng loạt các WBTC, WETH, USDC with many tokens ERCAnother -20 equals countless small transactions.
eth 🦊💙 (whg.eth) (@sniko_) August 1, 2022
According to the statistics of user @1kbeetlejuice, in the next 2 hours, smart contract of Nomad has been drained, falling from $176.6 million to almost zero.
User FatManTerra claims that this attack was carried out using multiple accounts or even a "foul" situation, where someone copied the first hacker's transaction and changed only each address. withdraw money to extract money from Nomad. FatMan joked that this was the industry's first "decentralized" attack crypto, true to the nature of the field cryptocurrency.
Messages popping up in public Discord servers of random people grabbing $3K-$20K from the Nomad bridge - all one had to do was copy the first hacker's transaction and change the address, then hit send through Etherscan. Print true crypto fashion - the first decentralized robbery. https://t.co/jWV9AamBer— FatMan (@FatManTerra) August 2, 2022
SlowMist tracks the cash flow to the three wallet addresses that are said to have taken the most money from Nomad, with a total value of up to $90 million.
🚨SlowMist Security Alert🚨@nomadxyz_ , a cross chain protocol was recently hacked causing the majority of their funds to be stolen.— SlowMist (@SlowMist_Team) August 2, 2022
We used @MistTrack_io and traced ~90M to the following 3 addresses here.
Follow us as we continue our investigation into this exploit. pic.twitter.com/HSV5SPU33J
Security expert samczsun later discovered that Nomad's vulnerability stemmed from the project's permission to grant withdrawal permission to the default root message of 0x000… Someone discovered that and proceeded to withdrawals. Others then discovered the vulnerability and simply copied the first hacker's transaction.
10/ It turns out that during a routine upgrade, the Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case it had a tiny side effect of auto-proving every message pic.twitter.com/fA3XbNW9qT— samczsun (@samczsun) August 2, 2022
“This is exactly why the hack become so chaotic – it doesn't require you to know about Solidity or Merkle Tree. All you have to do is find a successfully hacked transaction, find/replace someone else's address with yours, and then interact with Nomad's smart contract.”
It is worth mentioning that this vulnerability was discovered and warned by smart contract auditing unit Quantstamp to Nomad in early June, but was ignored and led to the current consequences.
Nomad has announced the closure of its cross-chain bridge to investigate the cause, and warned users to be on the lookout for impostor accounts that are calling for voluntary return of money from looters.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022
We're aware of impersonators posing as Nomad and providing counterfeit addresses to collect funds. We aren't yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad's official channel: @nomadxyz_— Nomad (⤭⛓🏛) (@nomadxyz_) August 2, 2022
While, Moonbeam has also brought the network to a “maintenance state,” but still allows users to make transactions, interact with smart contracts, staking, and administer normally.
1/ Important Notice: The Moonbeam Network has gone into Maintenance Mode in order to investigate a security incident with a smart contract deployed on the network.— Moonbeam Network #HarvestMoonbeam (@MoonbeamNetwork) August 1, 2022
Question marks continue to arise for cross-chain bridge projects
The Nomad attack took place almost a year after Poly Network, another cross-chain bridge project, was hacked for $611 million on August 10, 2021. The hacker then decided to return the money after the hack was discovered and realized that it was impossible to disperse such a large amount of money.
By February 2022, it's time to bridge Wormhole Between Solana and Ethereum hacked, losing $325 million in crypto assets. Wormhole then raised an emergency fund of a similar amount to ensure user compensation and resume operations.
More than a month later, on March 29, 2022, the crypto community was shaken by the bridge information Ronin of the game Axie Infinity was stolen by hackers within a week without knowing it, resulting in a loss of $622 million. This is the most damaging attack in the history of the cryptocurrency industry to date.
At the end of June, Ronin resumed normal operations, while the development unit Axie Infinity to be Sky Mavis had to raise capital of 150 million USD and pay out-of-pocket to compensate users. Even so, controversies continued to cling to the project as project information was hacked because a programmer of Sky Mavis accepted a dubious "job offer", or rumors that Sky Mavis CEO Nguyen Thanh Trung transferred $3 million AXS on the floor Binance before announcing the hack.
Also around this time, the bridge Horizen of project blockchain Harmony Was attacked, lost about 100 million USD of cryptocurrency on here. Harmony then posted a proposal to hard fork the protocol to print more tokens ONE intended to compensate users instead of disbursing the project's funds, prompting a backlash from the community.
Right before the Wormhole hack, the founder Ethereum Vitalik Buterin believes that cross-chain solutions should not be trusted because of many defects in the working mechanism.