On Monday, the Nomad cross-chain token bridge was attacked and hackers managed to siphon off $190 million from the protocol, draining a large majority of the funds. The Nomad inter-chain bridge attack was the third largest crypto heist of 2022 and the ninth largest ever.
Nomad Cross-Chain Bridge Mined for $190 Million
Cross-chain bridges in the world of decentralized finance (defi) simply cannot take a break, no matter how long they have been running and even after the bridges have been audited. On August 1, 2022, the Chain Cross Bridge Nomadic suffered an attack that saw the bridge lose $190 million in crypto funds. Security experts within the blockchain audit firm Certik published a incident report describing what happened.
“The vulnerability was in the initialization process where the ‘commitRoot’ is set to ZERO,” Certik wrote. “As a result, the attackers were able to bypass the message verification process and dump the bridge contract tokens,” Certik added, noting:
The exploit occurred when a routine update bypassed verification messages on Nomad. Attackers abused it to copy/paste transactions and were able to drain the bridge of almost all funds before it could be shut down.
Cross-chain bridges have suffered from exploit after exploit since their introduction. At the end of March, the biggest hack of 2022 saw $620 million stolen from Axie Infinity’s Ronin Bridge. Comparitech researchers detail that the Nomad Bridge attack was the third largest breach this year, according to the research firm crypto heist tracker. As Nomad connected a variety of blockchain networks, AVA Labs Founder and CEO Emin Gün Sirer tweeted about the incident and said the AVAX Bridge is safe.
“The Nomad bridge, used by non-Avalanche chains, was hacked today”, Gün Sirer wrote. “Nomad was the official deck for EVMOS (Cosmos EVM), Moonbeam (Polkadot EVM), and Milkomeda (another EVM) – Avalanche deck is unaffected.”
Nomad raised $22 million in April, Blockchain security firm Certik says this particular bug “would be difficult to uncover under conventional auditing practices”
The attack on the Nomad Bridge follows the project raising approximately $22.4 million in seed funding as part of a funding round led by Polychain Capital. Other strategic investors that have helped Nomad raise funds include 1kx, Ethereal Ventures, Hack.vc, Circle Ventures, Amber, Robot Ventures, Hypersphere, Figment, Dialectic, Archetype, and Ledgerprime. While a broad audit could have found the Nomad Bridge vulnerability, blockchain and smart contract auditors from Certik say this attack may be harder to find in a conventional audit.
“This type of issue would be difficult to discover under conventional auditing practices that assume all deployment configurations are correct, because this particular bug was introduced by errors in the deployment settings,” the report concludes. Certik on Nomad’s situation. “However, a broader auditing process and comprehensive penetration testing including validation of deployment processes could potentially capture this bug,” the auditors added.
What do you think of the recent cross-chain exploit against the Nomad Bridge? Let us know what you think about this topic in the comments section below.
Image credits: Shutterstock, Pixabay, Wiki Commons, Comparitech,
Disclaimer: This article is for informational purposes only. This is not a direct offer or the solicitation of an offer to buy or sell, or a recommendation or endorsement of any product, service or company. bitcoin.com does not provide investment, tax, legal or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.