The Nomad cross-chain bridge was hacked, but the hack was so simple that hundreds of users copied it and looted the remaining $190 million in assets.
Yet another cross-chain cryptocurrency bridge, that Nomad bridge, was drained of almost all of its assets, but this time it wasn’t just hackers who participated. In a first for the blockchain industry, a 9-digit hack was committed by not just one hacker, or even a few hackers, but by hundreds of actual users in what can only be described as a “crazy loot train“.
Cross-chain bridges are a system of smart contracts and messaging scripts that connect one blockchain to another to allow the transfer of cryptocurrencies and NFTs between them. They work (usually) by storing tokens in a smart contract on their “native“chain, then imprint one”wrapped” version of the deposited tokens on the other chain. Users can also withdraw their original tokens by inserting the wrapped tokens back into the bridge, where they are burned. A common example is Wrapped Bitcoin, or WBTC, which allows users to send their BTC on the Bitcoin blockchain to the Ethereum blockchain where it can be used in decentralized finance (or “DeFi“) applications. Bridges can wrap all kinds of blockchain tokens, including non-fungible tokens (or “NFTs“) and stablecoins (cryptocurrencies stable against the dollar). Because they act as massive collections of locked-down cryptocurrencies and digital assets, bridges are the most attractive targets for hackers, and pose the biggest security risk to the blockchain ecosystem.
Yesterday, TechCrunch and Gizmodo reported that the Nomad blockchain bridge was hacked, but the hack was so simple that hundreds of additional users copied the transaction and drained the bridge of $190M in which blockchain developer and Twitter user @0xfoobar calling, “the first decentralized looting of a 9-figure bridge in history.” The Nomad bridge connected Ethereum, Avalanche, Evmos, Moonbeam, and Milkomeda, and had nearly $200 million in its system before the hack. After the hack was over, there was only about $1,700 left in the bridge’s smart contracts. Many users have come forward and admitted to participating in the looting spree, and has promised to return the assets as soon as a secure address can be provided.Others have claimed to be white-hat hackers who intentionally exploited the bridge to protect crypto-assets held on it.
Blockchain bridges are rich targets
Bridges are important pieces of infrastructure for a multi-chain future, where many blockchains work together and share assets as a single entity. Just as the early internet was once a mess of different protocols that eventually settled on a single protocol, blockchain is also still a mess of protocols trying to communicate with each other. For Web3 to be secure, privacy issues and asset management need to be addressed, solid development standards for cross-chain bridges, and better regulations are needed to protect users. Right now, blockchain is too difficult to use, crypto wallets don’t have human-readable names, users don’t know how to avoid phishing attacks, and hacks occur on what seems like a weekly basis. Bridges are the richest of these targets, as they have hundreds of millions of dollars worth of assets inside them, and the absence of safety standards means they are all built and managed differently.
While the damage is done, many honest users will return what they took. However, the dishonest users will likely keep what they stole and will have to find a way to launder and cash out their cryptocurrency, as all the cryptocurrency stolen from the Nomad bridge is now associated with the hack and any attempt to deposit it into an exchange account will notify the authorities. Blockchain analytics and security firms will keep an eye on the addresses that participated in the Nomad looting party, and Nomad will likely issue a call to honest participants to return the assets they stole.
Next: $400,000 NFTs stolen via malicious link on Premint NFT service
Source: TechCrunch, Gizmodo, 0xfoobar/Twitter
Eternals 2 with Chloé Zhao apparently confirmed by Patton Oswalt
About the author