Nomad has suffered one of the biggest exploits in the decentralised finance (DeFi) space since the start of the year.
The Nomad team revealed on Monday that it had suffered an exploit. The cross-chain token bridge Nomad has lost virtually all the funds within the protocol following this attack.
According to the latest reports, the protocol has lost roughly $200 million in this attack.
Nomad is a cross-chain bridge that allows users to send and receive tokens between various blockchains. The exploit on Monday further highlights the security concerns regarding cross-chain bridges.
In a statement to CoinDesk, the Nomad team said;
“An investigation is ongoing, and leading firms for blockchain intelligence and forensics have been retained,” the team said. “We have notified law enforcement and are working around the clock to address the situation and provide timely updates. Our goal is to identify the accounts involved and to trace and recover the funds.”
On Twitter, @samczsun, a researcher at crypto investment firm Paradigm, took the time to explain the exploit in detail.
According to the researcher, the attacker took advantage of a recent update to one of Nomad’s smart contracts, which made it easy for users to spoof transactions. The update allowed users to withdraw money from the Nomad bridge that wasn’t theirs.
The researcher added that, unlike the other cross-chain hacks where it was perpetrated by a single culprit, Nomad’s attack was a free for all. He said;
“It turns out that during a routine upgrade, the Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case, it had a tiny side effect of auto-proving every message.
This is why the hack was so chaotic – you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it”
Nomad’s exploit comes a few months after the Wormhole bridge lost $300 million to hackers. Axie Infinity’s Ronin Bridge suffered the heaviest attack in the cross-chain history, losing over $600 million to the hackers.