Nomad Bridge Is Latest Victim of Disorganized Copy-Paste Attack

Nomad Bridge is the latest victim of a disorganized copy-paste attack that happened because of a vulnerability in the Nomad cross-chain bridge that allowed numerous malicious “copy/paste” actors to siphon off the protocol’s collateral.

Nomad Bridge released a warning that it was aware of an ongoing exploit in the early hours of August 2. The whole $190 million budget for the treatment was used up in the hours that followed.

White hat developer and member of the crypto community ‘samczsun’ broke down the sequence of events and provided an explanation. The attack was described by him as “one of the most disorganized hacks that Web3 has ever seen.”

1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm

— samczsun (@samczsun) August 1, 2022

Nomad is a token bridge for cross-chain transactions between Ethereum, Avalanche, Milkomeda, and Moonbeam.

Researchers from Nomad Funds Drained posted a tweet on the ETHSecurity Telegram channel that displayed numerous transactions of money leaving the bridge. It seemed to be a token decimal configuration error at first, but Samczsun found:

“However, after some painful manual digging on the Moonbeam network, I confirmed that while the Moonbeam transaction did bridge out 0.01 WBTC, somehow the Ethereum transaction bridged in 100 WBTC.”

The fact that the transactions were not “proven” and carried out immediately distinguishes this exploit from others. Processing information without verifying it first is really bad, declared Samczsun. Further investigation by the programmer revealed a deadly weakness in the “Replica” smart contract, which had been started during a normal Nomad upgrade.

He continued by saying that the fact that the crypto burglars lacked technical expertise made the situation unstable. All they had to do was locate a successful transaction, swap out the target address with their own, and retransmit it.

“A routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all,”

Even bogus addresses trying to steal money sent back to the bridge have been found by Nomad.

Nomad’s entire locked value has decreased over the last few hours from $190.38 million to $5,336 according to DefiLlama.

Following the widely publicized attacks on the Ronin Bridge, Wormhole, and Harmony, Nomad is the latest victim, and most recent token bridge assault this year.

Read the most recent cryptocurrency news.