Nomad, a cross-chain token bridge was exploited for nearly $200 million, draining most of the assets. Acknowledging the same, the Nomad team released a statement that it is working to identify the accounts involved and to trace and recover the funds.
According to DefiLlama, over $190 million in crypto has been emptied from the protocol, remaining only $651.5 in the wallet.
Online sleuths pin the blame on the platform’s flawed smart contracts. One such expert who works as a researcher in crypto investment firm Paradigm detailed how a recent update on one of Nomad’s smart contracts made it an easy target for exploiters to spoof transactions.
“Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all”, he said. Calling the attack one of the most chaotic in the history of web3, samczsun continued,
“You didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”
Echoing similar views, one of the newer clients of Nomad- Evmos, posted,
“A vulnerability in the bridge contract allowed it to accept arbitrary root hashes, allowing several entities to withdraw large amounts of assets. Currently, Nomad is paused, so users cannot withdraw their ERC20 wrapped assets from Evmos back to Ethereum.”
The platform further tweeted that it would be “brainstorming community solutions” given that it “significantly impacts initial Evmos [total value locked].”
Unlike other bridge attacks, where a single culprit is responsible for the entire exploit, the Nomad attack was an open loot.
Crypto Sleuths Termed Nomad Attack As A “Decentralized Robbery”
In what’s being called a “decentralized robbery” the vulnerability in Nomad’s coding allowed many to steal the money they didn’t own just by copying and pasting a script.
According to reports, some exploited their smart contract with public wallet addresses that are designed to be traceable. Many returned the funds back. Others claimed to be acting in good faith and sent back the funds while pledging to protect the smart contract.
Nomad allows users to send and receive tokens between different blockchains. The latest incident has cast serious doubt on the security of cross-chain bridges.