Cross-chain token bridge Nomad suffered an exploit attack on Monday that drained its entire fund with nearly $200 million worth of cryptocurrencies.
Similar to other cross-chain bridges, the Nomad bridge enables users to transact their tokens between different blockchains. Recently, numerous cross-chain bridges have been exploited in different cyber attacks which raise questions about their security and reliability.
In an interview with the reputed news channel, the Nomad team stated that “An investigation is ongoing and leading firms for blockchain intelligence and forensics have been retained.”
The team added, “We have notified law enforcement and are working around the clock to address the situation and provide timely updates. Our goal is to identify the accounts involved and to trace and recover the funds.”
According to researcher “samczsun” on Twitter, the hack was the most chaotic hack in the history of Web 3.0. He revealed that a new update in Nomad’s smart contract allows users to spoof transactions.
This means that users without knowledge of Solidity and Merkle Tree can withdraw money from the Nomad bridge, which they didn’t even own. It clearly states that no individual was behind this attack.
“… you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it” @samczsun explained.
Recently, many cross-chain were exploited in the cyber attack that led to millions of dollars in loss of crypto investors. In March, Ronin bridge got compromised in a cyber attack and lost $600 million worth of cryptocurrencies.
After doing adequate research, he found that when the Moonbeam transaction had bridged out 0.01 WBTC, Ethereum was bridging 100 WBTC at the same time.
Generally, bridge locks tokens in smart contracts on chains and the same amount of “wrapped” tokens is issued to other chains. Both tokens are identically similar.
In Nomad’s case, the tokens were drained from the smart contract where tokens were initially deposited. Owing to this issue Wrapped tokens have no backing left thus making it worthless.
