$190 Million Stolen From Crypto Bridge Nomad

The biggest hack since Axie Infinity's Ronin Bridge Sidechain was compromised back in March, has just plagued the Nomad token bridge which allowed malicious actors to steal around $190 million.

"We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them," Nomad tweeted Monday afternoon.

The Nomad bridge is a protocol that gives users the ability to move digital assets between blockchains, such as Milkomeda C1, Avalanche (AVAX), Ethereum (ETH), and Moonbeam (GLMR).

Currently, the main point of attack has not been found, but some savvy users on Twitter have been identifying a configuration error in a smart contract that Nomad utilizes to process messages as the culprit. Leading to millions being drained from Nomads liquidity pool.

"It all started when @officer_cia shared @spreekaway's tweet in the ETHSecurity Telegram channel," Sam Sun, a researcher at crypto investment firm Paradigm, tweeted. "Although I had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign."

"It turns out that during a routine upgrade," Sun continued. "The Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case it had a tiny side effect of auto-proving every message."

Sun compared what followed to “a frenzied free-for-all” due to the fact that one would have to possess little technical knowledge to take part in this attack.

“You didn't need to know about Solidity or Merkle Trees or anything like that,” Sun wrote. “All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it.”

Correspondingly the blockchain security firm Certik reported that all hackers had to due was copy and paste transactions, to take part in the exploit. Further explaining “by copying the original hacker's transaction calldata and replacing the original address with a personal one.”

The ease of access to such a bug led to the entire bridge being bled of almost all its funds.

"Nomad's bridge got owned in a similar manner to Qubit's QBridge," tweeted a16z security engineer Matt Gleason. "An insecure configuration of the bridge caused a specific path to allow any transaction sent. The error is inside the Replica's ‘process’ function."

"The system will accept any message that it has never seen before and process it as if it were genuine, meaning that all you need to do is ask for all the bridge's money and you'll get it," he added.

With Axie losing $622 million earlier this year through its own exploit and now Nomad, this is looking to be the worst year on record for stolen crypto, with over $1 billion being stolen since 2021.