1 min read

Smart Contract Exploit Costs Nomad Crypto Bridge $200 Million

Vlad CONSTANTINESCU

August 03, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Smart Contract Exploit Costs Nomad Crypto Bridge $200 Million

Cryptocurrency bridge Nomad was hit by a wild attack on Monday that cost the platform some $200 million worth of crypto assets. The incident involved exploiting a smart contract flaw that allowed anyone to drain funds from vulnerable accounts.

Nomad is a popular bridge service that lets users swap crypto tokens and data between different blockchains.

The platform disclosed the attack in a tweet on Monday. Initially, Nomad labeled it an “incident” that underwent investigation. On Tuesday, the company released a new statement saying that the team is “working around the clock to address the situation.”

The second statement also mentioned the involvement of law enforcement and “leading firms for blockchain intelligence and forensics” in the investigation.

A researcher under the moniker samczsun at crypto/Web3 investment firm Paradigm explained the attack in an elaborate Twitter thread. The security incident was first reported on the ETHSecurity Telegram channel and analyzed by various security researchers.

As it turns out, Nomad misconfigured a smart contract during a routine upgrade, triggering the auto-proving (spoofing) of every message on the bridge. The chaotic nature of the hack stemmed from its simplicity: users just needed to identify valid transactions, replace the receiver’s address with their own, and re-broadcast them.

Once they caught wind of the malicious technique, users went on a spree and drained the bridge accounts.

“tl;dr a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad,” reads samczsun’s tweet.  “Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all.”

Fortunately, Nomad might be able to recover some of the funds from “whitehats that drained preventively,” as Nassim Eddequiouaq, CISO for Crypto at venture capital firm a16z, suggests. On the other hand, the identities of most users who drained Nomad’s accounts remain widely unknown.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

SIM Swapper Involved in $22 Million Crypto Heist Sentenced to 18 Months in Prison SIM Swapper Involved in $22 Million Crypto Heist Sentenced to 18 Months in Prison
Vlad CONSTANTINESCU

December 05, 2022

1 min read
Hive Social Taken Offline as ‘Critical Vulnerabilities’ Could Expose Private Messages, Other Data Hive Social Taken Offline as ‘Critical Vulnerabilities’ Could Expose Private Messages, Other Data
Filip TRUȚĂ

December 05, 2022

1 min read
Malicious Actors Exploit TikTok ‘Invisible Challenge’ to Steal Users’ Info Malicious Actors Exploit TikTok ‘Invisible Challenge’ to Steal Users’ Info
Alina BÎZGĂ

December 02, 2022

2 min read