US-based crypto project Nomad was hit by a massive hack where nearly $200 million was compromised on the platform. The hackers are said to have exploited a vulnerability in the platform’s transactional call data feature and exploited multiple users.
Confirming the hack, the company’s official Twitter account tweeted pertinent details of an investigation into the matter and that further updates were to follow.
We are aware of the incident involving the Nomad Token Bridge. We are currently investigating and will provide updates when we have them.
— Nomad () (@nomadxyz_) August 1, 2022
Many experts believe this is a very different and chaotic hack from some of the previous ones in crypto.
What is Nomad?
Nomad is a US-based crypto project focused on interoperability between different networks, which is basically a way to connect two blockchains. The project basically uses programmable bridges to trade different cryptos on different blockchains in a much cheaper and more secure way.
The company recently announced a slate of investors in its $22 million funding round where venture capital firms such as Polychain Capital, Crypto.com, Coinbase, and Ethereal Ventures were among the big companies that pooled cash.
The irony of the whole situation is that Nomad was betting big on its security and boasting of being a security-focused cross-chain messaging protocol. So much so that in January, its CEO even came out saying it was the “secure period”.
“We are in a secure period” — @pranaymohan
— Nomad () (@nomadxyz_) January 27, 2022
How did the hack happen?
A security researcher who goes by the pseudonym “samczsun” on Twitter, explained the hack when “a routine update marked hash zero as a valid root, which had the effect of allowing messages to be The attackers abused it to copy/paste transactions and quickly emptied the deck in a frantic free for all.
If you want to dive into the technical details of the whole hack, you can take a look at this security analyst thread.
1/ Nomad just sold out for over $150 million in one of the most chaotic hacks Web3 has ever seen. How exactly did this happen and what was the root cause? Let me take you behind the scenes pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
Experts say the vulnerability was so easy to exploit that other hackers could have simply copied the Nomad hacker’s transaction call data and used it to hack into the platform.
What’s even weirder is that this vulnerability was mentioned in the audit report released by QSP-19 a few months ago.
The hack happened within hours when the platform was drained from $200 million to zero. According to some of the tweets on Nomad’s official Twitter account, some of the money was withdrawn by White Hat hackers and ethical researchers to ensure that the entire amount does not fall into the hands of scrupulous entities.
Nomad also instructed these people to send the funds they withdrew to dedicated addresses.
Some additional necessary precautions
Nomad says he is working around the clock to return the funds and has also notified law enforcement. It also works with on-chain analytics/intelligence firm TRM Labs to trace funds and identify recipient wallets to recover funds.
Nomad Bridge Funds Recovery Process
Dear hackers and fellow ethical researchers who protected ETH/ERC-20 tokens,
Please send the funds to the following wallet address on Ethereum: 0x94A84433101A10aEda762968f6995c574D1bF154 pic.twitter.com/UF623JSZ8u
— Nomad () (@nomadxyz_) August 3, 2022
It should be known that over $1.8 billion worth of crypto has been stolen due to these bridge hacks over the past two years. The fact that these bridges are hastily deployed without proper auditing leads hackers to exploit these vulnerabilities.
Even Ethereum creator Vitalik Buterin has spoken of his pessimism towards bridges, as they are still among the most vulnerable when it comes to hacking.
This breach exacerbates the whole situation for the crypto community as it could be perceived as a crypto hack (which it is not).
Crypto is going through one of its worst phases and the news of any hacks related to crypto platforms is deterring people from investing in the technology. It is absolutely necessary to be more proactive in the development of these underlying technologies so that these vulnerabilities can be nipped in the bud.