On Monday, the Nomad cross-chain token bridge was attacked and the hackers managed to squeeze $ 190 million out of the protocol, draining the vast majority of funds. The Nomad cross-chain bridge attack was the third largest cryptocurrency heist of 2022 and the ninth largest of all time.
Nomad Cross-Chain Bridge exploited for $ 190 million
Cross-chain bridges in the world of decentralized finance (defi) cannot take a break no matter how long they have been in operation and even after the bridges have been verified. On August 1, 2022, the Nomad cross-chain bridge suffered an attack that saw the bridge lose $ 190 million in crypto funds. Security experts from blockchain auditing firm Certik have released a report on the incident describing what happened.
“The vulnerability was in the initialization process where” committedRoot “is set to ZERO,” wrote Certik. “Thus, the attackers were able to bypass the message verification process and drain the tokens from the bridge contract,” Certik added, noting:
The exploit occurred when a routine update allowed the verification messages on Nomad to be ignored. The attackers abused it to copy / paste transactions and were able to drain the bridge of nearly all funds before it could be stopped.
Cross-chain bridges have undergone exploits after exploits since their first introduction. In late March, the biggest hack of 2022 saw $ 620 million stolen from Axie Infinity’s Ronin Bridge. Comparitech researchers detail that the Nomad bridge attack was the third largest breach this year, according to the research firm’s cryptocurrency tracker. While Nomad connected a variety of blockchain networks, AVA Labs founder and CEO Emin Gün Sirer tweeted about the incident and said the AVAX bridge was safe.
“The Nomad Bridge, used by non-avalanche chains, was breached today”, Gün Sirer he wrote. “Nomad was the official bridge for EVMOS (Cosmos EVM), Moonbeam (Polkadot EVM) and Milkomeda (another EVM) – The Avalanche Bridge is not interested.”
Nomad raised $ 22 million in April, Blockchain security firm Certik says this particular bug “would be difficult to detect with conventional auditing practices.”
The attack on the Nomad bridge follows the project which raised approximately $ 22.4 million in initial funding in a funding round led by Polychain Capital. Other strategic investors who have helped Nomad raise funds include 1kx, Ethereal Ventures, Hack.vc, Circle Ventures, Amber, Robot Ventures, Hypersphere, Figment, Dialectic, Archetype, and Ledgerprime. While an extensive audit could have detected the Nomad bridge vulnerability, Certik’s blockchain and smart contract auditors say this attack may be harder to find in a conventional audit.
“This kind of problem would be difficult to detect with conventional auditing practices that assume all deployment configurations are correct, because this particular bug was introduced by errors in the deployment parameters,” concludes Certik’s report on the Nomad situation. “However, a broader auditing process and comprehensive penetration testing that includes validation of distribution processes could potentially catch this bug,” the auditors added.
What do you think of the recent cross-chain exploit against the Nomad bridge? Let us know what you think about this topic in the comments section below.
Image credits: Shutterstock, Pixabay, Wiki Commons, Comparitech,