Nomad, a cross-chain messaging protocol that enables users to send and receive tokens between various blockchains, lost at least $150 million as a result of a security flaw that allowed malicious parties to spoof messages.
According to DeFi tracking platform DeFi Llama, the project had USD 190m in total value locked (TVL) just before the exploit started. However, all of the money was gone in a matter of hours. The project currently has about USD 5,600 in TVL as of the time of writing.
BlockSec, a blockchain security company, put the loss at around USD 150 million. This might imply that bridge users take the final USD $40 million out on their own.
According to Etherescan transactions, a user may have successfully removed wrapped bitcoin (WBTC) 100 (worth approximately USD 2.3 million) from the bridge by depositing WBTC 0.01 at 9:32 PM UTC on Monday (around USD 230).
The Nomad team subsequently stated that it is "incident involving the Nomad token bridge" and that it was "currently investigating the incident."
According to information gathered by cryptocurrency security company PeckShield, various amounts of WBTC, wrapped ethereurm (WETH), USD coin (USDC), frax (FRAX), covalent query token (CQT), hummingbird governance token (HBOT), IAGON (IAG), dai (DAI), gerowallet (GERO), card starter (CARDS), saddle DAO (SDL), and charli3 (C3) tokens have been taken from
"The Nomad team initialized the trusted root to be 0x00" during an upgrade, which had the "side effect of auto-proving every message," according to Sam Sun, Head of Security at Paradigm.
"This is why the hack was so chaotic - you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it," said Sun.
The incident was referred to as "the first decentralized robbery" by the anonymous Terra researcher FatMan. "All one had to do was copy the first hacker's transaction and change the address, then hit send through Etherscan," they said.
There are still no additional details about the hack from the Nomad team. They issued a warning about impersonators attempting to solicit money in their most recent tweet.
The team stated, "We’re aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds. We aren’t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad’s official channel."
The latest in a string of attacks on bridges, the Nomad Bridge hack.
According to reports, a hacker stole USD 100 million worth of various cryptoassets in late June by taking advantage of a flaw in Harmony's Horizon Bridge, which enables token transfers between the Harmony network and Ethereum, Binance Chain (BNB), and Bitcoin (BTC).
Additionally, the Ethereum-based Ronin Network, which was built for the well-known play-to-win game Axie Infinity, was previously exploited to the tune of USD 600 million, and the DeFi platform Wormhole suffered a loss of almost USD 325 million to hackers in February.
By fLEXI tEAM