On Monday, the cross-chain token bridge Nomad was attacked and hackers managed to extract $190 million from the protocol, draining the vast majority of the funds. The Nomad cross-chain bridge attack was the third largest crypto heist of 2022, and the ninth largest of all time.
Nomad Cross-Chain Bridge leveraged for $190 million
Cross-chain bridges in the world of decentralized finance (defi) just cannot catch a break no matter how long they have been in operation and even after the bridges have been audited. On August 1, 2022, the cross-chain bridge Nomad suffered an attack that caused the bridge to lose $190 million in crypto funds. Security experts at blockchain auditing firm Certik published an incident report detailing what happened.
“The vulnerability was in the initialization process where the ‘committed Root’ is set to NULL,” Certik wrote. “Therefore, the attackers were able to bypass the message verification process and flush the tokens from the bridge contract,” Certik added, noting:
The exploit occurred when a routine upgrade allowed confirmation messages to be bypassed on Nomad. Attackers abused this to copy/paste transactions and were able to drain the bridge of almost any means before it could be stopped.
Cross chain bridges have suffered exploitation after exploitation since they were first introduced. In late March, the biggest hack of 2022 saw the theft of $620 million from Axie Infinity’s Ronin bridge. Researchers at Comparitech describe the Nomad bridge attack as the third largest breach this year, according to the research firm’s crypto-ransom tracker. As Nomad connected a number of blockchain networks, the founder and CEO of AVA Labs, Emin Gün Sirer, tweeted about the incident and said that the AVAX bridge was safe.
“The Nomad bridge, used by non-avalanche chains, was hacked today,” Gün Sirer wrote. “Nomad was the official bridge for EVMOS (Cosmos EVM), Moonbeam (Polkadot EVM) and Milkomeda (another EVM) – Avalanche Bridge is unaffected.”
Nomad Raised $22M In April Blockchain Security Company Certik Says This Particular Flaw ‘Would Be Difficult To Detect Under Conventional Auditing Practices’
The attack on the Nomad bridge follows the project that raised approximately $22.4 million in seed funding in a funding round led by Polychain Capital. Other strategic investors that helped Nomad raise funds include 1kx, Ethereal Ventures, Hack.vc, Circle Ventures, Amber, Robot Ventures, Hypersphere, Figment, Dialectic, Archetype and Ledgerprime. While a broad audit could have found the Nomad bridge vulnerability, blockchain and smart contract auditors from Certik say this attack may be harder to find in a conventional audit.
“This type of issue would be difficult to detect under conventional auditing practices that assume all deployment configurations are correct, because this particular error was introduced by errors in the deployment parameters,” concludes Certik’s report on the Nomad situation. “However, a broader audit process and full-scope penetration test that includes validation of deployment processes would potentially catch this flaw,” the auditors added.
What do you think of the recent chain exploit against the Nomad bridge? Let us know what you think about this topic in the comments section below.
Jamie Redman
Jamie Redman is the news editor at Bitcoin.com News and a financial technology journalist living in Florida. Redman has been an active member of the cryptocurrency community since 2011. He has a passion for Bitcoin, open source and decentralized applications. Since September 2015, Redman has written more than 5,700 articles for Bitcoin.com News about the disruptive protocols emerging today.
Image credit: Shutterstock, Pixabay, Wiki Commons, Comparitech,
Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or an endorsement or recommendation of products, services or companies. Bitcoin.com does not provide investment, tax, legal or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on content, goods or services mentioned in this article.