The Nomad cross-chain bridge was hacked, but the hack was so simple that hundreds of users copied it and looted the rest of the $190M of assets.
Yet another cross-chain cryptocurrency bridge, the Nomad bridge, was drained of almost all its assets, but this time it wasn’t just hackers who participated. In a first for the blockchain industry, a 9-figure hack was committed by not just one hacker, or even a few hackers, but by hundreds of actual users in what can only be described as a “frenzied looting spree“.
Cross-chain bridges are a system of smart contracts and messaging scripts that connect one blockchain to another to allow for cryptocurrencies and NFTs to be transferred between them. They (usually) work by storing the tokens in a smart contract on their “native” chain, and then minting a “wrapped” version of the deposited tokens on the other chain. Users can also withdraw their native tokens by depositing the wrapped tokens back into the bridge, where they are burned. One common is example is Wrapped Bitcoin, or WBTC, which allows users to send their BTC on the Bitcoin blockchain to the Ethereum blockchain where it can be used in Decentralized Finance (or “DeFi“) applications. Bridges can wrap any kind of blockchain token, including non-fungible tokens (or “NFTs“) and stablecoins (cryptocurrencies stable to the dollar). Because they act as massive pools of locked up cryptocurrencies and digital assets, bridges are the most attractive targets for hackers, and present the largest security risk to the blockchain ecosystem.
Yesterday, TechCrunch and Gizmodo reported that the Nomad blockchain bridge was hacked, but the hack was so simple that hundreds of additional users copy-pasted the transaction and drained the bridge of $190M in what blockchain developer and Twitter user @0xfoobar is calling, “the first decentralized crowd-looting of a 9-figure bridge in history.” The Nomad bridge connected Ethereum, Avalanche, Evmos, Moonbeam, and Milkomeda together, and held almost $200M in its system prior to the hack. After the hack was over, there was only roughly $1700 of assets remaining inside the bridge’s smart contracts. Many users have come forth and admitted to participating in the looting spree, and have promised to return the assets once a safe address can be provided. Others have claimed to be white-hat hackers who intentionally exploited the bridge to protect the crypto assets held on it.
Blockchain Bridges Are Rich Targets
Bridges are vital pieces of infrastructure for a multi-chain future, where many blockchains work together and share assets as a single unit. Just as the early internet was once a mess of different protocols that eventually settled on a single protocol, blockchain is also still a mess of protocols trying to interface with each other. For Web3 to be safe, privacy issues and asset custody needs to be worked out, rock-solid development standards are needed for cross-chain bridges, and better regulations are needed to protect users. Right now, blockchain is too difficult to use, crypto wallets don’t have human-readable names, users don’t know how to avoid phishing attacks, and hacks occur on what seems to be a weekly basis. Bridges are the richest of these targets, as they hold hundreds of millions of dollars’ worth of assets inside them, and the absence of security standards means they are all built and managed differently.
While the damage is done, plenty of honest users will return what they took. However, the dishonest users will likely keep what they stole, and will have to find a way to launder and cash out their crypto, since all the cryptocurrency stolen from the Nomad bridge is now associated with the hack and any attempt to deposit it into an exchange account will alert authorities. Blockchain analysis and security firms will keep an eye on the addresses that participated in the Nomad looting spree, and Nomad will likely issue a call for honest participants to return the assets they stole.
Source: TechCrunch, Gizmodo, 0xfoobar/Twitter
About The Author