On Monday, the cross-chain token bridge Nomad was attacked and hackers managed to siphon $190 million from the protocol, draining a great majority of the funds. The Nomad cross-chain bridge attack was the third-biggest crypto heist of 2022, and the ninth largest of all time.
Table of Contents
Nomad Cross-Chain Bridge Exploited for $190 Million
Cross-chain bridges in the world of decentralized finance (defi) just can’t catch a break no matter how long they have been running and even after the bridges have been audited. On August 1, 2022, the cross-chain bridge Nomad suffered an attack that saw the bridge lose $190 million in crypto funds. Security experts at the blockchain auditing firm Certik published an incident report describing what happened.
“The vulnerability was in the initialization process where the “committedRoot” is set as ZERO,” Certik wrote. “Therefore, the attackers were able to bypass the message verification process and drain the tokens from the bridge contract,” Certik added, noting:
The exploit occurred when a routine upgrade allowed verification messages to be bypassed on Nomad. Attackers abused this to copy/paste transactions and were able to drain the bridge of nearly all funds before it could be stopped.
Cross-chain bridges have been suffering from exploit after exploit since they were first introduced. At the end of March, the largest hack of 2022 saw $620 million stolen from Axie Infinity’s Ronin bridge. Researchers at Comparitech detail that the Nomad bridge attack was the third-largest breach this year, according to the research firm’s crypto heist tracker. While Nomad connected a variety of blockchain networks, the founder and CEO of AVA Labs, Emin Gün Sirer, tweeted about the incident and said the AVAX bridge was safe.
“The Nomad bridge, used by non-Avalanche chains, was hacked today,” Gün Sirer wrote. “Nomad was the official bridge for EVMOS (Cosmos EVM), Moonbeam (Polkadot EVM), and Milkomeda (another EVM) — The Avalanche Bridge is unaffected.”
Nomad Raised $22 Million in April, Blockchain Security Company Certik Says This Particular Bug ‘Would Be Difficult to Discover Under Conventional Auditing Practices’
The attack against the Nomad bridge follows the project raising approximately $22.4 million in seed funding in a finance round led by Polychain Capital. Other strategic investors that helped Nomad raise funds include 1kx, Ethereal Ventures, Hack.vc, Circle Ventures, Amber, Robot Ventures, Hypersphere, Figment, Dialectic, Archetype, and Ledgerprime. While a broad audit could have found the Nomad bridge vulnerability, the blockchain and smart contract auditors from Certik say this attack may be more difficult to find in a conventional audit.
“This type of issue would be difficult to discover under conventional auditing practices that assume all deployment configurations are correct, because this particular bug was introduced by mistakes in the deployment parameters,” Certik’s report on the Nomad situation concludes. “However, a broader auditing process and full-scope penetration test that includes validating deployment processes would potentially capture this bug,” the auditors added.
What do you think about the recent cross-chain exploit against the Nomad bridge? Let us know what you think about this subject in the comments section below.
Jamie Redman is the News Lead at Bitcoin.com News and a financial tech journalist living in Florida. Redman has been an active member of the cryptocurrency community since 2011. He has a passion for Bitcoin, open-source code, and decentralized applications. Since September 2015, Redman has written more than 5,700 articles for Bitcoin.com News about the disruptive protocols emerging today.
Image Credits: Shutterstock, Pixabay, Wiki Commons, Comparitech,
Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.